|2017 Speakers

David Blanco

Creating Realistic Cybersecurity Policies for Industrial Control Systems

Crafting a cyber security strategy that is simple enough to actually be implemented, yet nuanced enough to be effective is no easy task. By reconciling IT security solutions’ prioritization of confidentiality against ICS’s prioritization of availability, this session will present the principles that a successful cyber security policy can be built around. This requires an understanding of the threats ICS will face in terms of probability, not possibility, which includes an explanation of how current ICS strategies fail. Policy foundations will then be presented that allow proven IT security strategies to be successfully applied to ICS legacy networks. These recommendations include 1) prioritizing the field equipment 2) extending proven IP security strategies and techniques to the field 3) following accredited guidelines as a way to standardize and therefore successfully implement a strategy. Success being measured here by a policy’s likelihood of successful implementation and its actual ability to provide security.

David Blanco holds a Bachelor’s degree in Management Information Systems from the University of Texas and a Master’s of International Relations from Texas A&M university. He is currently a SCADA Security Adviser for Automation Solutions, where he has worked on SCADA systems since 2011. During this time, Mr. Blanco worked on the development and implementation of SCADA technologies. In his current capacity, he guides the development of cybersecurity technologies for his company and is part of the wider industry discussion through conferences. Mr. Blanco is also a member of the FBI’s InfraGard and the Gulf Coast Gas Management Society.

Dan Cornell

Monitoring Attack Surface and Integrating Security into DevOps Pipelines

A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing, and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Andy Earle

Putting the “Sec” into DevSecOps: How to Add Application Security to your DevOps Program

The software development industry has been significantly transformed over the last several years. The rise of DevOps and Continuous Integration / Continuous Delivery (CICD) methodologies have driven software release cycles from “agile” weeks down to days, and often hours. Some organizations release multiple versions of an app every day. A key consideration in the transformation to highly automated DevOps/CICD Software Development Lifecycle (SDLC) processes is where application security fits in.  While we are better able to address time-to-market concerns, the question becomes “am I increasing the risk to my organization”? In this talk, we will cover how organizations address these concerns to secure their DevOps initiative and share “real-life” stories.

Andy Earle is a Security Solutions Architect for Hewlett Packard Enterprise. Andy has spent 6+ years designing and delivering application security programs, technology, and services for US Federal and commercial customers, specifically around HPE’s Fortify appsec products. Andy was previously the product manager for a high assurance multi-level secure operating system at BAE Systems, and Presales Engineer for various web development and mobile security firms. Andy has spoken extensively on application security topics at OWASP, SANS, RMISC, HPE Protect, and other events. Early experience includes software engineering, mobile application development, and lifeguarding at his neighborhood pool. Andy has a B.S. in Systems Engineering from the University of Virginia.

Michael Gough

Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can you do about it?

This talk will walk through examples of how ransomware, commodity malware, word document malware, PDF based malware and APT campaigns manage to slip by our defenses and the security products we buy to prevent this very problem. Why? How? Is there anything we can do to stop this email hole? The answer is YES!
Turns out there is a LOT that can be done and I am at a loss of why more don’t do these simple and extremely effective things that are basically FREE to implement. RansomWare for example can be stopped dead in its tracks with the methods the malwarians have been operating by for the past couple of years. Once you understand what these email gateway preventions solutions do, or initially designed to do, you can begin to understand what they can’t do and how you can focus your efforts to help fill or close some of these gaps.

Michael Gough is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed the “Malware Management Framework” and several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons. Michael is also blogs on HackerHurricane.com on various InfoSec topics.

Chris Gray

The Third Party Risk Management Maturity Model

Overview of third party risk management, which is the formal practice used by organizations to manage their vendors, suppliers, partners, and other external parties. Deep dive into the practices and techniques used to manage risks associated with the use of third parties, and the models that represent a progression of maturity ranging from aware through strategic. Speaker will include examples, and will leave time for audience interaction.

As the Vice President of the Optiv Enterprise Risk and Compliance consulting practice, Mr. Gray leads a world-class consulting organization delivering security and risk program assessment, development, and management; compliance assessment and remediation (HIPAA, HITRUST, ISO 27001, NIST 800-53, etc.); data protection and discovery activities; and governance, risk, and compliance platform (RSA Archer, LockPath Keylight, etc.) implementation and configuration.

Martin Fisher

Disruption: The Coming Changes to How We Do Information Security

We are at an inflection point in how we do information security. The number of threat actors continues to grow exponentially as does the number of vulnerabilities in the increasing number of systems we must protect. We cannot simply do what we’ve done to protect the vital systems we are charged with defending. We *must* seek out new technologies and ideas. In this talk we will discuss what I consider the most likely avenues to meeting this challenging future.

Martin Fisher has been in IT for more than 25 years and in information security for the last 15 years. He currently serves as the information security leader for a multi-hospital, 13,000-employee healthcare provider in Atlanta, Georgia. In the past he has worked in the commercial aviation and finance sectors for organizations large and small. Fisher has been heavily involved in the information security community as a member of the organizational staff of BSides Las Vegas and BSides Atlanta. Fisher is passionate about “doing security right” and has spoken internationally on a variety of information security topics at events including ShmooCon, SOURCE, SecurityZone, and various BSides events. He is also the host of the “Southern Fried Security” podcast, which has reached thousands of information security practitioners for the last six years.

Brad Green

The Hack Back: Hacking Team to Hacked Team

The Hacking Team breach in July of 2015 resulted in more than 400GBs of sensitive information being publicly released, including the source code for the offensive security programs the company sold and details on zero-day exploits. The leak had significant repercussions in the security world and caused major technology vendors (including Adobe and Microsoft) to issue emergency patches.  Cybereason’s researchers built a laboratory environment with all the leaked data, activated an attack server and examined how the Hacking Team’s attacks worked. Almost a year later, in April of 2016, an Actor with the Handle “Phineas Phisher” released a manifesto claiming credit for the Hacking Team breach.

This presentation is an examination of both the Hacking Team’s offensive playbook, as well as the successful offensive operation carried out against them that ultimately resulted in the 2015 data dump.

Brad Green, Senior Sales Engineer at Cybereason has been supporting, managing, securing, and selling into the endpoint space for over 15 years. His current role is that of a Senior Sales Engineer at Cybereason.

Rhett Greenhagen

Skip tracing for fun and profit

This talk will be somewhat humorous, taking real world examples from my work that are unclassified with mug shots of them on there way to prison. Each example will start with what I had at the time I was given the targets name and personals, and ending each example with how I came across there information or lured them to a specific location for extraction by federal agents. Some of the examples include creating a phishing website based off of the targets resume, finding a ip address through xbox live, using cell phone information as well as Facebook metadata to track the user, etc.

Rhett Greenhagen has worked in the Intelligence Community/Federal Government most of his career. From being the primary forensic investigator for DoD’s largest data center to working in Cyber Counter Intelligence for multiple contractors in the Intelligence Community. He currently works for a major corporate providing intelligence services for
government, private, and public companies. Specializing in Counter Intelligence, profiling, exploitation, open-source intelligence, malware creation and analysis, and exploit development and research.

Levi Gundert

Calculating Risk to Make Cyber Threat Intelligence Great Again

Everyone loves the concept of threat intelligence, but creating a valuable practice that benefits the business is difficult. Cyber threat intelligence only works to decrease risk in advance if risk is being quantitatively assessed on an ongoing basis. Do you know where there’s potential for real loss in your business? A new cyber threat does not necessarily translate into increased risk for the business. To be successful, threat intelligence must first understand risk and loss beyond guesswork for “likelihood of occurrence x impact”. In this session, we will enumerate a cyber threat taxonomy with specific and recent examples to practically explore the implications (or lack thereof) for threat relevance and business loss.

Levi Gundert is the Vice President of Intelligence & Strategy at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Previous industry roles include VP of Cyber Threat Intelligence at Fidelity Investments, Technical Leader at Cisco Talos, Principal Analyst at Team Cymru, and U.S. Secret Service Agent within the Los Angeles Electronic Crimes Task Force (ECTF). Gundert is a prolific speaker, blogger, and columnist, writing articles for Dark Reading, InformationWeek, and SC Magazine.

Jason Haddix and Daniel Miessler

The Game Security Framework (1.0)

In 2016 the videogame market became 99.6 Billion dollar industry… any reason why shouldn’t it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). Join Jason and Daniel as they walk through the GSF and how it can help threat model gaming issues that have devastated new games. Learn from case studies of AAA titles plagued by hacking and most importantly learn how the GSF can help new developers and security testers alike root out bugs in your favorite titles.

Jason Haddix is the Head of Trust and Security at Bugcrowd. At Bugcrowd Jason works with customers, operations, and engineering to design enterprise ready, seamless, bug bounty and responsible disclosure programs. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructure security assessments, and static analysis. Jason lives in Santa Barbara with his wife and three children. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and held the #1 rank on the Bugcrowd researcher leaderboard for 2014/2015.
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management. He is the leader of the OWASP IoT Security project and speaks regularly at conferences, on panels, and to the media on the topics of information security and technology trends. He also produces a blog, podcast, and newsletter with similar themes.

Quincy ‘QJax’ Jackson

Red Team: Active Hacker Drills

The time is now to step up from boardroom round-table simulations and into actively simulating well-known attacks on your network before they actually happen. Join us in a presentation that will demonstrate attack scenarios to effectively measure your cyber defense position. The presenter will demonstrate the Red Team full engagement process, as well as, secrets to SOC readiness and defense testing techniques. The audience will discover new Red Team tools that are safe to use for your active simulations. Additionally, the presenter will share his approach to effectively producing metrics and measurements for active hacker drills.

Quincy Jackson (CISSP, C|EH, GCIA, GWAPT, GREM) currently works as a Red Team Lead with over 20 years experience. Quincy actively develops Red Team exercises that are often driven by business stakeholders or specific organizational risks. His primary responsibilities include programs to evaluate and measure the actual effectiveness of the Security Operations Center. His SOC Readiness and Defense Testing programs were created to reduce uncertainty and give assurance regarding detection, analysis and cyber defense capabilities. Quincy also specializes in web application security, penetration testing, mobile device hacking, and cyber threat defense techniques.

Dennis Maldonado

Hacking Networks Made Easy – Finding and Fixing Low Hanging Fruit

Often times hackers don’t need a super 1337 exploit to compromise a network. What’s the point of remotely exploiting a box when you can just guess the password, run a common attack, or utilize an employee’s rogue backdoor? In this talk, we will discuss and demonstrate how to find the low hanging fruit that can lead to full compromise of the network and what can be done to detect and protect against them. This presentation will provide you with actionable items for your red and the blue teams that that can be started immediately without spending any additional money or purchasing any tools. You will also leave with the understanding that the blue team may benefit from taking a step back and focusing on improving their initial security posture.

Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, red teaming, and security research. Dennis’ focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking and physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area.

Gordon MacKay

Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program

Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.

Gordon MacKay, Software/Systems Guru with a dash of security hacking, serves as CTO for Digital Defense, Inc. He has presented at many conferences including 2016 ISSA International Conference, ISC2 Security Summit 2016, BSides DC 2016, Cyber Texas 2016, BSides Detroit 2016, BSides San Antonio, BSides Austin, BSides DFW, RSA, and more, and has been featured by top media outlets such as Fox News, CIO Review, Softpedia and others. He holds a Bachelor’s in Computer Engineering from McGill University and is a Distinguished Ponemon Institute Fellow.

Cory Mathews

Asset Awareness: What do you have and where exactly did you leave it?

Today’s companies, corporations, and organizations range from the mom and pop shop on the corner to large multinational conglomerates. Even though there is a drastic difference in size (and monetary value), every single organization shares the trait of having some sort of digital footprint. As a pentester that has worked with clients that spread across the entire range my experience has shown that very few, if any, organizations are completely aware of their digital footprint or even what assets they have exposed to the web.

The information that is contained in these footprints can be treasure trove of data for both the good guys paid to hack and the threat actors in the wild. Knowing what you and your organization expose to the world is a great first step. Doing something to reduce that footprint and limiting the availability of sensitive information to the attackers is one of the best proactive steps an organization can take in the name of security.

Cory is a Penetration Tester and Security Consultant for Critical Start. He brings in depth knowledge around the tools and tactics of both offensive and defensive side to the Critical Start team. He has experience working in both the private and public sector as an incident response expert as well as assisting those same organizations as an OSINT/Dark Web intel analyst. Cory has served as a Digital Forensic Engineer/Investigator in support of law firms, law enforcement, and other agencies. Throughout his career, Cory has worked in private security, investigations, automotive, and engineering industries. This diverse experience has provided him with many different perspectives concerning information security.

Eric Parizo

Security Product Integration Frameworks: A Game-Changer for Enterprise Security

Organizations have long been frustrated with lacking integration among their enterprise security point products. The average large enterprise uses dozens of unique commercial security products and services, with few if any of them designed to work together. This forces enterprises to integrate products with vendors’ clunky APIs or build their own custom product-to-product integrations, or make due with a low-efficacy security product ecosystem that is merely the sum of its parts. The emergence of security product integration frameworks (SPIFs) has the potential to change all that by facilitating security-related metadata sharing, enabling standalone security products and services to interoperate more effectively, and ultimately improve the efficacy of enterprises’ unique security architectures. This presentation will explain what SPIFs are, how they work, the differences between today’s leading SPIFs, and advice for enterprises when choosing, implementing, and utilizing SPIFs.

As Senior Analyst for Enterprise Security at competitive intelligence research firm Current Analysis, Eric Parizo is responsible for tracking and analyzing the evolving technological and competitive developments in the enterprise information security market. Eric’s key areas of emphasis include enterprise network security (next-generation firewall and IPS appliances), enterprise mobility management and security, as well as top-tier enterprise security vendor strategy. Eric previously spent nearly 15 years as a highly-regarded technology journalist and editor at TechTarget, where he was Executive Editor for the Security Media Group. Eric is a nine-time ASBPE award winner, the industry’s top award for business-to-business publishing excellence.

Michelle Pellon

Michelle Pellon is a Security Analyst at the Conroe Independent School District.

Zach Lanier

I, For One, Welcome Our New _______ Overlords: A Discussion on Electronic Voting Machine Security

Short of a few exceptional cases, including some previous research, electronic voting machines have largely been black boxes. The 2016 elections echoed, very eerily, the same concerns of the security and reliability of these machines as elections from nearly a decade ago, if not beyond. In order to help call attention to the seriously problematic state of voting machine security, we demonstrate new and updated methods of compromising voting machine hardware. We were able to compromise a Sequoia AVC Edge by several means, and were able to take complete control of the machine by means of removable media. We can alter vote counts, and more. We will present all our current findings and discuss the abysmal state of electronic voting machine security.

Zach is currently Director of Research with Cylance, where he helps run the Vulnerability Research/Intelligence team. He specializes in various bits of network, application, mobile, and embedded security. Prior to joining Cylance, Zach most recently served as a Senior Research Scientist with Accuvant Labs, and prior to that as a Senior Security Researcher with Duo Security.He has spoken a t a variety of security conferences, such as Black Hat, DEF CON,
CanSecWest, INFILTRATE, Countermeasure, and SummerCon, and is a co-author of the “Android Hackers’ Handbook” (Wiley, 2014).

Lsly and Aaron Bayles

Nose Breathing 101: A Guide to Infosec Interviewing

The Information Security sector is a special place filled with special snowflakes. For a special snowflake, interviewing for a job can sometimes be a daunting or awkward task. There is a thin line when talking to humans between looking cocky and potato. On the other side, the interviewer must understand that there’s a limited pool of special snowflakes. There’s a sweet spot between auto-hiring someone and telling them you’ll need three months to make a decision. Each snowflake must be nurtured into a beautiful snowerfly, or whatever their final form may be. For this talk Richard plans plan to start a conversation about how to interview and be interviewed in the information security space. Good interviews combine a mix of targeted questions, appropriate information sharing, and a goal of what you’d like to learn from a person and vice versa. Bad interviews… don’t. This leads to bad hires, good snowflakes being pushed aside, stupid questions being asked, people being sad pandas, poor team cohesion, and a general overwhelming feeling of meh. Do not despair, this is a solvable situation. Come join me on the journey to being less meh at hiring!

Lsly – Lsly is a Penetration Tester, perpetual Linux sysadmin, and multi-platform gamer. She’s part of the organizing staff at Nolacon and a volunteer for BSides Charm — giving back to her infosec family. Lsly is hungry to learn and is now working on the OT staples of ICS/SCADA. Typically you’ll find her scoping out WAPs, wiggling ATM card readers, and hiding in a corner with music, a 3DS, and CTFs.

Aaron Bayles (@alxrogan) has been doing the Infosec song and dance since ’95. He has seen a million endpoints and rocked them all. He lives outside Houston and currently dabbles with all things Infosec and ICS/SCADA
security.

Women in Cybersecurity

“Own I.T.” Houston Women in Cybersecurity Panel Building confidence, community, and a network for women to thrive in Cyber Security.

Join us for “Own I.T.” Houston, Women in Cybersecurity panel session! We will create a conversation around challenges, triumphs, and resources to be a confidence, authentic, and well-connected female in our industry. This group launched in October 2016 with a mission to build confidence, authenticity, and develop a network of mentors for women in our industry. We focus on developing creative content and taking action towards creating positive change in our lives, organizations, and communities we serve. We are leaders in the industry. We choose to “Own I.T.” and be an ambassador for developing women from early career to executive management in Cyber Security.

The Panel:

  • Keirsten Brager, CISSP, MBA, Tripwire Engineer
  • Michelle Ellis, Sales Manager, Crowdstrike
  • Holly Vaught, Sales Manager, Critical Start
  • Tamara Cabrilo, IT Recruiter at Genuent
  • Jessica Patterson, Check Point Software