Speaker: Nick Delewski (Track 2)

The "user" mindset of wireless communications conjures a limited set of technologies. However, myriad methods of wireless communications are being used all around us, every day. This talk challenges the audience to expand their concept of wireless beyond 802.11 and Bluetooth and what it means for personal and enterprise OpSec.

Speaker: Hardik Parekh (Track 1)

In today’s agile environment, it’s important to know maturity of your software assurance program. In this talk, we will introduce OWASP SAMMv2 - an effective and measurable way to analyze and improve software assurance posture in 3 levels of maturity - thus creating a step-by-step navigation plan.

OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company risk profile, organizational structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you an effective and measurable way for all types of organizations to analyze and improve their software security posture in 3 levels of maturity - thus creating a step-by-step software assurance navigation plan. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices.

We will cover a number of topics in the talk:

1. The core structure of the model, which was redesigned and extended to align with modern development practices

2. The measurement model which was setup to cover both coverage and quality

3. The new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Speaker: Paul F Renda & Nick Benigno (Track 2)

The pervasive encryption of the 14 Z/OS mainframe is a significant paradigm shift in information processing. The IBM platform will be able to encrypt all data by default. This new property is also one of the least know accomplishments in cyber information security today.

I will review the historical relationship between x86 Wintel and Z/OS security; explain classifications from the DOD orange book, and the Evaluation Assurance Levels (EAL)... Including the debate between the cost differential between two platforms. This talk can fill in some critical security information that is not covered by current security certifications. I will also go over the differences between discretion access control and mandatory access controls.

Pervasive encryption how is this achieved? The properties of the new z/14 processor will be discussed, and how it’s physical and electrical properties will accomplish this goal.

Speaker: Raymond Canzanese (Track 1)

The scale and ease-of-use of the cloud make it the ideal environment for launching cyberattacks. In the past year, we have uncovered phishing campaigns, scams, Trojans, malware payloads, command and control servers, data exfiltration channels, and more, all hosted on popular cloud services. Cloud services provide excellent cover, especially when the attack uses the same cloud services as the victim.

By far the most popular ways cloud services are used in cyberattacks are for phishing and malware delivery. Once inside an organization, traditional methods still dominate, but cloud services are becoming more popular. Cloud services are even gaining popularity among insider threats -- 7% of all users copy sensitive data from their employers to their personal accounts. In this presentation, we provide statistics collected from millions of users from hundreds of organizations, specific examples of threats, and recommendations to prevent organizations from falling victim to the next cloud-based cyberattack.

Speaker: Apurv Singh Gautam (Track 2)

What's the hype with the dark web? Why are security researchers focusing more on the dark web? How to perform threat hunting on the dark web? If you are curious about the answers to these questions, then this talk is for you. Dark web hosts several sites where criminals buy, sell, and trade goods and services like drugs, weapons, exploits, etc. Hunting on the dark web can help identify, profile, and mitigate any organization risks if done timely and appropriately. This is why threat intelligence obtained from the dark web can be crucial for any organization. In this presentation, you will learn why threat hunting on the dark web is necessary, different methodologies to perform hunting, the process after hunting, and how hunted data is analyzed. The main focus of this talk will be automating the threat hunting on the dark web. You will also get to know what operational security (OpSec) is and why it is essential while performing hunting on the dark web and how you can employ it in your daily life.

Speaker: Cassandra Young (Track 1)

As organizations increasingly move into the cloud, where do you start when security in the cloud encompasses a dizzying array of services? How do you balance convenience and security, or the familiarity of on-prem with the unknowns of the cloud?

In this talk we'll walk through the fundamentals of Cloud Security, from the Shared Responsibility model, IAM in the cloud, logging and monitoring, containers and serverless, and common elements that connect them. Examples will cover primarily AWS, but the focus will be on broad concepts that transcend platform.

Speaker: Kyle Sheely (Track 1)

The COVID-19 pandemic impacted all business. For healthcare and pharma, it heightened preexisting issues in their information security on top of presenting new ones. Almost every facet has had to turn on a dime towards COVID.

In this talk, you will explore the challenges and lessons learned of protecting healthcare/pharma clients from the perspective of a lead SOC analyst, including:

• What's new/changed vs. what's the same in the threat landscape

• Training new analysts in a completely virtual setting

• Defending a workforce transitioning to remote work

• Managing shifting priorities and assuaging anxiety in the C-Suite

• Projected lasting effects to the industry and more

Speaker: Reuben Ventura (Track 2)

SQL injections are still of high importance even in these days

[+] Performing blind SQL injections is very cumbersome and slow.

[+] Using automated tools is almost always a need.

[+] The objective of this talk is to change and evolve the classic injections and discover better methods.

Speaker: Madeline Bright (Track 1)

Security technology does nothing if it isn’t used -- or, if someone is unable to use it. Psychological human factors have already been thoroughly examined within the cybersecurity field. But what about cases where the use barriers are rooted in more than just natural human heuristics? People with disabilities, both as consumers and professionals, should not have to choose between accessibility and security. For example, some accessibility measures can compromise security -- shoulder surfing is easier if a person uses large fonts and high contrasts. Further, some security measures can compromise accessibility -- like when an application designed to prohibit copying text also prohibits screen readers from examining its content. So how can we ensure that these people stay safe in the digital world while maintaining their access to it?

The idea that all people should have equitable access and security is covered in Mace’s Seven Principles of Universal Design, which are points to consider when ensuring a design for a space or product will be useful to a diverse audience. Originally intended for architectural purposes, many of the principles also apply to and can be implemented within the virtual world (for example, during the development of an application). I want to examine, through the lens of my own experiences as a disabled computer science student and systems administrator, how accessibility, security, and universal design intersect, and how we can strengthen security by ensuring that it does not inhibit access.

Speaker: Jonathan Magen (Track 1)

How can you specify security policies so that computers can analyze and enforce them? SPNDL began as an eccentric idea for building a policy domain-specific language (DSL), and evolved into one of the most in-depth research projects I've ever undertaken. Before its conclusion, the effort yielded not only syntax and semantics required to formally (and unambiguously) specify system-level security policies, but also an entire family of programs for working with them.

This talk will begin by introducing SPNDL, the Security Policy Notation and Description Language. The presentation will detail the goals leading to SPNDL's inception and development, while also providing a theory of operation. It will feature real examples of SPNDL policies as well as delve into the architecture of its surrounding toolset. After detailing pros and cons, this talk will conclude with a brief enumeration of future work opportunities.

Speaker: Peter Scheffler (Track 2)

Quantum Encryption is a fast approaching technology requiring security experts to understand the implications it presents. We only need to look at examples of cryptanalytic’s milestones to see why we need to be wary. Using these quantum leaps, the audience will be entertained and educated on Quantum Cryptanalytics and what can be done TODAY to prepare our data and ourselves.

Speaker: Christopher Lopez (Track 2)

How an analyst approaches an investigation is guided by the questions they ask themselves. Anyone can be an effective investigator! All it take is some understanding of how to frame your investigation around specific questions. I will walk through these questions, how they aid in the collection of evidence, where they come from, and how to effectively write down the answers in a report.

Speaker: Kelley Robinson (Track 1)

If you've noticed a surge in unwanted robocalls from your own area code in the last few years, you're not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it's time to address the problem.

This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We'll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

Speaker: Chris Myers (Track 1)

Home lab environments are an awesome way to level up your skills in the cyber security industry. Whether you’re into penetration testing, detection engineering, or adversary emulation – a well designed lab environment can be an invaluable training tool. The cloud offers a great way for anyone interested to dip their toes into the industry, or dive deeper technically, without the need for expensive hardware. However, there can be a learning curve with getting your lab set up in a cloud provider’s network.

In this talk, I’ll share what I’ve learned over the years building cloud hosted lab environments at Snap Labs to help flatten that learning curve. I’ll cover important design considerations, cloud limitations/gotchas, various use cases and lab scenarios, existing open source lab designs to get you started quickly, and more! I’ll also be releasing an open source tool to easily and securely access your lab environment and share that access with others.

Speaker: Shail Patel (Track 2)

As part of my summer graduate internship, I was hired by NREL as a cybersecurity intern to perform security evaluations on a grid based ICS network. There was a need to develop, validate and deploy a unique and innovative architecture that comprehensively addresses the challenges associated with the proliferation of high penetration of distributed PV systems such as reverse power flows, feeder load balancing and voltage stability. Having considering this type of architecture which includes Advanced Distributed Management System (ADMS), a Beaglebone pi controller, Real-Time Automation Controller (RTAC), Grid Edge Management System (GEMS), a local python script that communicates between these devices, and unencrypted communication protocols like Modbus and DNP3 being used, there was a need to perform vulnerability assessments on these devices to test the confidentiality and integrity of the data being flowed between these devices. Thus, I performed packet capture analysis, vendor device analysis and local NREL device analysis on them and observed interesting results.

Pentesting disclosed various bugs and loopholes as a result of the use of insecure protocols like Modbus and DNP3. Some of the classic examples I discovered are Default credentials for the Inverter, LFI in BeagleBone image, lots of open network ports, capacitor bank statuses, and lots of plaintext values in the communication model. I also devised measures to protect the DNP3 and Modbus data in transit which I will introduce in this talk. Thus, the purpose of this talk would be focused on need to secure the ICS/SCADA data which has no built-in security and possess challenges.

Speaker: Sasi Siddharth Muthurajan (Track 1)

Static Application Security Testing (SAST) solutions have been used by enterprises for over two decades. While such solutions are considered necessary in any development shop, the technology has been notorious for reporting a high volume of false positives. This problem is especially significant in larger codebases and legacy applications. However, with the right skills, process and a little bit of time, teams can extract a lot more value from SAST tools.

While SAST tools might sound like plug-n-play solutions, they require constant care and maintenance to achieve optimal Return on Investment (ROI). This talk is meant to be a discussion on identifying the various techniques that will allow teams to utilize SAST offerings to their maximum potential. It will also cover ideas for designing processes that will not only help use SAST tools effectively, but also prevent various categories of vulnerabilities from being introduced into the code.

Speaker: Etizaz Mohsin (Track 2)

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriott International where 500 million guests' private information was compromised sets for one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeted guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet.

For a broader look, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access to Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest's details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Speaker: Matt Bosack (Track 2)

Back in 2018, Comcast launched its first public bug bounty program. Soon thereafter, subdomain takeovers made almost daily appearances as a submission type. We decided to approach the issue proactively, and quickly evolved from some bash scripts to near complete automation in the cloud. This talk will discuss our approach to different types of subdomain takeovers, including attack surface enumeration, fingerprinting, and automated takeovers. Additionally, we'll cover some of the case studies we've experienced running the Comcast Vulnerability Disclosure Program.

Speaker: Chris Maenner (Track 1)

As a startup, it is difficult to hire (afford) experienced security engineers and analysts. Due to the pandemic, our company was further challenged to optimize our security team. Following the leadership of our Engineering department, our companies security team architected a serverless Cloud Infrastructure which allowed our company to be nimble and flexible. This shared responsibility model allowed our company to focus on growing the business and focus on customer happiness.

Azure Sentinel Incident Response Platform is designed to consume, transform, and alert on serverless infrastructure by using serverless services. This platform is designed to alert on third-party cloud infrastructure that will help detect remote work force abuse, facility network abuse, and proactively identify systems that are misconfigured and remediate.

A quick little ditty to welcome everyone to our first virtual conference!