Creating Realistic Cybersecurity Policies for Industrial Control Systems
Crafting a cyber security strategy that is simple enough to actually be implemented, yet nuanced enough to be effective is no easy task. By reconciling IT security solutions’ prioritization of confidentiality against ICS’s prioritization of availability, this session will present the principles that a successful cyber security policy can be built around. This requires an understanding of the threats ICS will face in terms of probability, not possibility, which includes an explanation of how current ICS strategies fail. Policy foundations will then be presented that allow proven IT security strategies to be successfully applied to ICS legacy networks. These recommendations include 1) prioritizing the field equipment 2) extending proven IP security strategies and techniques to the field 3) following accredited guidelines as a way to standardize and therefore successfully implement a strategy. Success being measured here by a policy’s likelihood of successful implementation and its actual ability to provide security.
Monitoring Attack Surface and Integrating Security into DevOps Pipelines
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
Putting the “Sec” into DevSecOps: How to Add Application Security to your DevOps Program
The software development industry has been significantly transformed over the last several years. The rise of DevOps and Continuous Integration / Continuous Delivery (CICD) methodologies have driven software release cycles from “agile” weeks down to days, and often hours. Some organizations release multiple versions of an app every day. A key consideration in the transformation to highly automated DevOps/CICD Software Development Lifecycle (SDLC) processes is where application security fits in. While we are better able to address time-to-market concerns, the question becomes “am I increasing the risk to my organization”? In this talk, we will cover how organizations address these concerns to secure their DevOps initiative and share “real-life” stories.
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can you do about it?
This talk will walk through examples of how ransomware, commodity malware, word document malware, PDF based malware and APT campaigns manage to slip by our defenses and the security products we buy to prevent this very problem. Why? How? Is there anything we can do to stop this email hole? The answer is YES!
Turns out there is a LOT that can be done and I am at a loss of why more don’t do these simple and extremely effective things that are basically FREE to implement. RansomWare for example can be stopped dead in its tracks with the methods the malwarians have been operating by for the past couple of years. Once you understand what these email gateway preventions solutions do, or initially designed to do, you can begin to understand what they can’t do and how you can focus your efforts to help fill or close some of these gaps.
The Third Party Risk Management Maturity Model
Overview of third party risk management, which is the formal practice used by organizations to manage their vendors, suppliers, partners, and other external parties. Deep dive into the practices and techniques used to manage risks associated with the use of third parties, and the models that represent a progression of maturity ranging from aware through strategic. Speaker will include examples, and will leave time for audience interaction.As the Vice President of the Optiv Enterprise Risk and Compliance consulting practice, Mr. Gray leads a world-class consulting organization delivering security and risk program assessment, development, and management; compliance assessment and remediation (HIPAA, HITRUST, ISO 27001, NIST 800-53, etc.); data protection and discovery activities; and governance, risk, and compliance platform (RSA Archer, LockPath Keylight, etc.) implementation and configuration.
Disruption: The Coming Changes to How We Do Information Security
We are at an inflection point in how we do information security. The number of threat actors continues to grow exponentially as does the number of vulnerabilities in the increasing number of systems we must protect. We cannot simply do what we’ve done to protect the vital systems we are charged with defending. We *must* seek out new technologies and ideas. In this talk we will discuss what I consider the most likely avenues to meeting this challenging future.
The Hack Back: Hacking Team to Hacked Team
The Hacking Team breach in July of 2015 resulted in more than 400GBs of sensitive information being publicly released, including the source code for the offensive security programs the company sold and details on zero-day exploits. The leak had significant repercussions in the security world and caused major technology vendors (including Adobe and Microsoft) to issue emergency patches. Cybereason’s researchers built a laboratory environment with all the leaked data, activated an attack server and examined how the Hacking Team’s attacks worked. Almost a year later, in April of 2016, an Actor with the Handle “Phineas Phisher” released a manifesto claiming credit for the Hacking Team breach.
This presentation is an examination of both the Hacking Team’s offensive playbook, as well as the successful offensive operation carried out against them that ultimately resulted in the 2015 data dump.
Skip tracing for fun and profit
This talk will be somewhat humorous, taking real world examples from my work that are unclassified with mug shots of them on there way to prison. Each example will start with what I had at the time I was given the targets name and personals, and ending each example with how I came across there information or lured them to a specific location for extraction by federal agents. Some of the examples include creating a phishing website based off of the targets resume, finding a ip address through xbox live, using cell phone information as well as Facebook metadata to track the user, etc.
government, private, and public companies. Specializing in Counter Intelligence, profiling, exploitation, open-source intelligence, malware creation and analysis, and exploit development and research.
Calculating Risk to Make Cyber Threat Intelligence Great Again
Everyone loves the concept of threat intelligence, but creating a valuable practice that benefits the business is difficult. Cyber threat intelligence only works to decrease risk in advance if risk is being quantitatively assessed on an ongoing basis. Do you know where there’s potential for real loss in your business? A new cyber threat does not necessarily translate into increased risk for the business. To be successful, threat intelligence must first understand risk and loss beyond guesswork for “likelihood of occurrence x impact”. In this session, we will enumerate a cyber threat taxonomy with specific and recent examples to practically explore the implications (or lack thereof) for threat relevance and business loss.
Jason Haddix and Daniel Miessler
The Game Security Framework (1.0)
In 2016 the videogame market became 99.6 Billion dollar industry… any reason why shouldn’t it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). Join Jason and Daniel as they walk through the GSF and how it can help threat model gaming issues that have devastated new games. Learn from case studies of AAA titles plagued by hacking and most importantly learn how the GSF can help new developers and security testers alike root out bugs in your favorite titles.
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management. He is the leader of the OWASP IoT Security project and speaks regularly at conferences, on panels, and to the media on the topics of information security and technology trends. He also produces a blog, podcast, and newsletter with similar themes.
Quincy ‘QJax’ Jackson
Red Team: Active Hacker Drills
The time is now to step up from boardroom round-table simulations and into actively simulating well-known attacks on your network before they actually happen. Join us in a presentation that will demonstrate attack scenarios to effectively measure your cyber defense position. The presenter will demonstrate the Red Team full engagement process, as well as, secrets to SOC readiness and defense testing techniques. The audience will discover new Red Team tools that are safe to use for your active simulations. Additionally, the presenter will share his approach to effectively producing metrics and measurements for active hacker drills.
Hacking Networks Made Easy – Finding and Fixing Low Hanging Fruit
Often times hackers don’t need a super 1337 exploit to compromise a network. What’s the point of remotely exploiting a box when you can just guess the password, run a common attack, or utilize an employee’s rogue backdoor? In this talk, we will discuss and demonstrate how to find the low hanging fruit that can lead to full compromise of the network and what can be done to detect and protect against them. This presentation will provide you with actionable items for your red and the blue teams that that can be started immediately without spending any additional money or purchasing any tools. You will also leave with the understanding that the blue team may benefit from taking a step back and focusing on improving their initial security posture.Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, red teaming, and security research. Dennis’ focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking and physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area.
Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program
Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.
Asset Awareness: What do you have and where exactly did you leave it?
Today’s companies, corporations, and organizations range from the mom and pop shop on the corner to large multinational conglomerates. Even though there is a drastic difference in size (and monetary value), every single organization shares the trait of having some sort of digital footprint. As a pentester that has worked with clients that spread across the entire range my experience has shown that very few, if any, organizations are completely aware of their digital footprint or even what assets they have exposed to the web.
The information that is contained in these footprints can be treasure trove of data for both the good guys paid to hack and the threat actors in the wild. Knowing what you and your organization expose to the world is a great first step. Doing something to reduce that footprint and limiting the availability of sensitive information to the attackers is one of the best proactive steps an organization can take in the name of security.
Security Product Integration Frameworks: A Game-Changer for Enterprise Security
Organizations have long been frustrated with lacking integration among their enterprise security point products. The average large enterprise uses dozens of unique commercial security products and services, with few if any of them designed to work together. This forces enterprises to integrate products with vendors’ clunky APIs or build their own custom product-to-product integrations, or make due with a low-efficacy security product ecosystem that is merely the sum of its parts. The emergence of security product integration frameworks (SPIFs) has the potential to change all that by facilitating security-related metadata sharing, enabling standalone security products and services to interoperate more effectively, and ultimately improve the efficacy of enterprises’ unique security architectures. This presentation will explain what SPIFs are, how they work, the differences between today’s leading SPIFs, and advice for enterprises when choosing, implementing, and utilizing SPIFs.
Michelle PellonMichelle Pellon is a Security Analyst at the Conroe Independent School District.
I, For One, Welcome Our New _______ Overlords: A Discussion on Electronic Voting Machine Security
Short of a few exceptional cases, including some previous research, electronic voting machines have largely been black boxes. The 2016 elections echoed, very eerily, the same concerns of the security and reliability of these machines as elections from nearly a decade ago, if not beyond. In order to help call attention to the seriously problematic state of voting machine security, we demonstrate new and updated methods of compromising voting machine hardware. We were able to compromise a Sequoia AVC Edge by several means, and were able to take complete control of the machine by means of removable media. We can alter vote counts, and more. We will present all our current findings and discuss the abysmal state of electronic voting machine security.
CanSecWest, INFILTRATE, Countermeasure, and SummerCon, and is a co-author of the “Android Hackers’ Handbook” (Wiley, 2014).
Lsly and Aaron Bayles
Nose Breathing 101: A Guide to Infosec Interviewing
The Information Security sector is a special place filled with special snowflakes. For a special snowflake, interviewing for a job can sometimes be a daunting or awkward task. There is a thin line when talking to humans between looking cocky and potato. On the other side, the interviewer must understand that there’s a limited pool of special snowflakes. There’s a sweet spot between auto-hiring someone and telling them you’ll need three months to make a decision. Each snowflake must be nurtured into a beautiful snowerfly, or whatever their final form may be. For this talk Richard plans plan to start a conversation about how to interview and be interviewed in the information security space. Good interviews combine a mix of targeted questions, appropriate information sharing, and a goal of what you’d like to learn from a person and vice versa. Bad interviews… don’t. This leads to bad hires, good snowflakes being pushed aside, stupid questions being asked, people being sad pandas, poor team cohesion, and a general overwhelming feeling of meh. Do not despair, this is a solvable situation. Come join me on the journey to being less meh at hiring!
Lsly – Lsly is a Penetration Tester, perpetual Linux sysadmin, and multi-platform gamer. She’s part of the organizing staff at Nolacon and a volunteer for BSides Charm — giving back to her infosec family. Lsly is hungry to learn and is now working on the OT staples of ICS/SCADA. Typically you’ll find her scoping out WAPs, wiggling ATM card readers, and hiding in a corner with music, a 3DS, and CTFs.
Aaron Bayles (@alxrogan) has been doing the Infosec song and dance since ’95. He has seen a million endpoints and rocked them all. He lives outside Houston and currently dabbles with all things Infosec and ICS/SCADA
Women in Cybersecurity
“Own I.T.” Houston Women in Cybersecurity Panel Building confidence, community, and a network for women to thrive in Cyber Security.
Join us for “Own I.T.” Houston, Women in Cybersecurity panel session! We will create a conversation around challenges, triumphs, and resources to be a confidence, authentic, and well-connected female in our industry. This group launched in October 2016 with a mission to build confidence, authenticity, and develop a network of mentors for women in our industry. We focus on developing creative content and taking action towards creating positive change in our lives, organizations, and communities we serve. We are leaders in the industry. We choose to “Own I.T.” and be an ambassador for developing women from early career to executive management in Cyber Security.