2020 Presentations

CornCon VI Presentations and Panels

For more on our speakers, click on speaker name or visit https://corncon.net/2020-speakers/.

Speaker, Title, Company, Presentation Title Track Day Time
Shawn Anderson, Exec Security Advisor, Microsoft
What is trust? Should we trust but verify or trust nothing and verify everything? 

They will learn: 1. What is Zero Trust, 2. Why Zero trust is a team effort. 3. What they should focus on to achieve zero trust, 4. Learn how this can be done in a hybrid cloud environment touching on premises back end systems, 5. Finally, resources to go investigate and learn more on their own. 
02 FRI 13:15
Grant Asplund, Growth Technologies Evangelist, Check Point Software
A Strategy  for Securing Your Everything

 

 

The stakes have never been higher for organizations to get cyber security right. There are many forces driving this sense of urgency: companies adding new private and public cloud platforms, new products including IoT, geographic regions, apps and web capabilities, not to mention securing the increasing number of remote workers because of the Covid-19 pandemic. With the increase in sophisticated cyber-attacks, security teams are under pressure to protect organizations while under staffed, under-equipped and under budget.

In this session, cyber security thought leader Grant Asplund discusses how businesses of all sizes can adopt a modern approach to cyber security with a consolidated architecture that fully automates preventing attacks before enterprise systems can be breached.

02 SAT 11:00
Tony Baker, Global Product Security Leader, Rockwell Automation
OT/ICS Panel Discussion

 

 

Panelists: Megan Samford, VP, Chief Product Security Officer – Energy Management, Schneider Electric
Maggie Morganti, Staff, Oak Ridge National Laboratory
Jori P. VanAntwerp, VP of Sales at Gravwell

This will be a panel discussion on OT/ICS.

02 FRI 9:30
Todd Bell, Exec Director IT Compliance/CISO, Valleywise Health
API Security for the API Economy

 

 

We are accustomed to performing static source code scans, following OWASP Top 10, but what about the proper configuration and setup of API’s. Many API’s we use can be exploited for DOS attacks, have hard coded client secrets in the mobile app for API usage to Broken Object-Level Authorization. 

02 SAT 12:30
Ray Canzanese, Director of Threat Research, Netskope
COVID and the Cloud

 

 

The COVID-19 pandemic brought with it an abrupt change — a movement to remote work for the majority of knowledge workers. The number of people working remotely more than doubled in the span of a few weeks. Among the many challenges that security organizations faced during this transition was a change in user behavior. The behavior profile of a user working from home — and working alongside all the other members of their household — is a stark contrast to the profile of the same user working from the office. We analyzed cloud and web activity from hundreds of enterprises and millions of users over the past year and identified three trends emphasized by COVID-19 that are a cause for concern for security organizations.

First is the increase in cloud app usage. The number of cloud apps in use in the enterprise has been gradually increasing. The COVID-19 pandemic caused a surge in adoption of cloud collaboration apps, each introducing new security challenges. Are these apps managed? Are they properly configured? Are they handling sensitive data? Is any of that data exposed publicly? Are users using personal apps to handle sensitive data? We highlight both the increase in usage of specific apps and an alarming trend of sensitive company data being stored and processed in personal apps.

Second is an increase in personal usage of managed devices, for gaming, personal web-browsing, installing personal software, and entertainment. Managed devices are also being used to enable remote learning, evidenced by a sharp increase in visits to children’s websites and a dramatic increase in usage of education apps. 

Third is an increase in risky behavior. Users working from home tend to be less careful in their web usage than they are in the office. Risky behaviors include visiting gambling, drugs, piracy, and adult websites. For example, visits to adult websites increased 600% during the pandemic. This risky behavior puts devices at an increased risk of compromise. 

The increase in cloud app usage, sharing of managed devices within a household, and an increase in risky behavior present challenges to security organizations. How do you ensure the users, their devices, and the company’s sensitive assets are protected in this environment? Monitoring cloud and web activity is crucial to securing data and protecting devices and users. Coaching can also help reduce remote risks while still enabling the business to use cloud apps where they are required. We share data that quantifies the effectiveness of such a strategy in correcting user behavior. The main takeaway of this presentation is to understand the three cloud and web usage trends magnified by COVID-19 and identify an effective strategy for mitigating the negative security effects of these trends in your organization.  

01 FRI 14:00
Dr. Mark Carney, Technical Specialist and Researcher
Tears for Quantum Fears

 

 

Few technologies have had the sheer scale of investment that quantum computation has seen in recent years. In this talk we will describe the four main ways in which ‘quantum’ will affect cybersecurity. Starting with how quantum computers affect classical crypto, discussing “how and when are we gonna break classical crypto?”, we go through Quantum Key Distribution and “is it really workable?”, then via post-quantum cryptography asking “what even is an isogeny?”, rounding off with a look at what and how quantum algorithms could be useful to defenders in the future. 

02 FRI 14:45
Mike Convertino, Chief Security Officer, Arceo.ai
Cyber Insurance Panel

 

Panelists: Tim Callahan, Global Chief Security Officer, AFLAC

Michael Phillips, Chief Claims Officer, Arceo AI

A seasoned panel will discuss cyber insurance.

01 FRI 14:45
Stephen Cobb, Independent Risk Researcher, Self-employed
How Hackers Save Humanity: A Cautionary Tale of Existential Risk

 

 

The COVID-19 pandemic reminds us that there is always a risk that things can very quickly go very wrong for humans, with potentially fatal consequences, at scale. Hackers are arguably more aware of this than their peers and thus better equipped to both predict and prevent so-called existential risks—those that end life for all present and future humans. This talk introduces humans with a hacker mindset to the hot new field of existential risk reduction, laying out key issues in existential risk by way of Bostrom’s concept of black balls—technology that invariably or by default destroys the civilization that invents it (from his Vulnerable World Hypothesis paper). Topics include AI, cybernetics, the value of future life, and the role of malware in human evolution.

01 SAT 8:45
Davie Gioe, History Fellow, Army Cyber Institute, West Point
Russian disinformation: Past, Present, and Policy Considerations

 

 

This presentation considers Russian disinformation in historical perspective. It offers examples of the current threat landscape in the election season, and offers a range of global policy considerations.

01 SAT 13:15
J Wolfgang Goerlich, Advisory CISO and Strategist, Duo
Design Thinking for Secure Development

 

 

Usability versus security is stupid. It forces us to choose one or the other. It excuses security breaches under the guise of usability. It automatically pits us against them, builders against breakers, developers against defenders. A better approach is to view security like usability: they happen where man meets machine. At that moment of meeting, what factors in human psychology and industrial design are at play? And suppose we could pause time. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and provides a case study in applied software design. The future is usability and security. Come learn how to design that future.

01 SAT 10:15
Travis Hartman, President, IWC Labs
99 Jobs and Finding the right one

 

 

Government? Civilian? Researcher? Why not do all of them at once. This presentation provides a perspective on managing dual careers with the Army Reserves and corporate world. Security clearances, specialized training, and switching back and forth between different full time roles present challenges but also opportunities to do what few others will do. When launching a new village at Defcon coincides with taking over a 1600 person organization operating on five continents it is time to leverage the network of personal connections to make things happen.

02 SAT 8:45
Bryan Hurd, VP, Stroz Friedberg, Former Intelligence Director Microsoft Digital Crimes Unit
CISO Panel: Daily breaches! What are we missing?

 

 

Panelists: Richard Rushing, CISO, Motorola Mobility

Everyday we continue to see cyber breaches in the news. So what are we missing? 

02 SAT 12:30
Todd Inskeep, Cyber Yoda, Incovate Solutions
Three Paths to Risk and the Board

 

 

Get insights into how to talk about risk management at the board level with three different approaches to thinking about risk for the board. 

01 FRI 8:45
Kevin Johnson, CEO and Security Consultants at Secure Ideas
Haunted Security

 

 

Security is a wild and scary ride for some, a place of comfort for others. In this presentation, Kevin Johnson of Secure Ideas will discuss how the foundations of everything we do are critical to our success. The talk will explore the ethics, the knowledge, the community, and the pitfalls in each of these areas. Based on the portraits in the stretching gallery of the haunted mansion, many of the things we do are actually based on dangerous assumptions and actions. Kevin will discuss the ways that we can strengthen our foundations and improve the things we do every day.

02 FRI 14:00
Dave Kennedy, CEO, TrustedSec, Binary Defense
Understanding Offense – How Red Raises The Bar To Better Blue

 

 

Most organizations are still at a basic or moderate level of security and having difficulty moving past commoditized tooling, and crowdsourced tactics, techniques, and procedures (TTPs). The issue is even organized crime groups that were largely unsophisticated have gained major traction and are now leveraging new methods for attacking organizations. It’s never been more important to focus on understanding how effective our organization is to attack, and how well an organization can respond to minimize damage. In this talk, we’ll be covering the current state of security for most organizations, and how easy it is to get around “next generation” product lines, and what we need to do to move forward to raise the bar of entry to compromise and limit dwell time.

02 FRI 12:30
Adam Kujawa, Director of Malwarebytes Labs, Malwarebytes
LUNCH KEYNOTE: Enduring from Home: COVID-19’s impact on business security

 

 

Since March, “business as usual” has become business uncharted, and the near-immediate transition to remote work brought enough challenges to upset any IT director. This presentation will unveil data on how COVID-19 impacted enterprise cybersecurity and what IT professionals can do to prepare for the uncertain future.

• How prepared companies were transitioning to WFH
• Which WFH challenges were the most worrisome
• How the pandemic impacted organizations’ bottom line
• How IT leaders’ confidence in their security posture compared to their actions
• What security threats are on the rise today
• How managers, directors, and CISOs each responded to WFH challenges
• How small, medium, and large businesses fared in the transition to remote work
• Next steps to secure organizations for long-term remote work

01 FRI 11:45
E. Larry Lidz, CISO
Verifiable Effectiveness – How to know your security program works before the bad guys let you know

 

 

All too often security teams put in place security controls and just assume that they’ll work, trusting that the processes continue to be executed and people are at their most diligent. Larry will discuss methods for proactively verifying that your security controls continue to be effective over time.

01 FRI 11:00
Rafal Los aka “@Wh1t3Rabbit”, Vice President of Security Strategy, Lightstream
You Suck and I’ll Show You How to Prove It

 

 

Security widgets produce lots of noise, in that they show you lots of useless metrics. Boards and leadership in the business want to see ‘progress’ and some sort of measurement of ‘getting better’. The fact is many companies and experts struggle to create and measure meaningfully. I’ll show you how.

01 FRI 10:15
Dr. Richard H.L. Marshall (Rich), Founder/CEO, CinturianGroup
If you think COVID 19 was bad

 

 

Why management should care about protecting digital data post COVID 19.

01 FRI 12:30
Shaun Martin, Staff DevOps Engineer, QuickBase
AWS No Host Secure Infrastructure Automated

 

 

I will walk through how a modern day application can achieve a full software as a service infrastructure using AWS (ECS Fargate, RDS, ALB, Route53, CloudMap, S3, CloudFront) in an enterprise manner. This approach has no hosts to manage at all, drastically reducing all security issues, maintenance, upgrades and downtime, while being able to auto scale and self heal from most issues. I will cover the AWS infrastructure services and concepts related to security, scale, lack of maintenance and automation.

02 FRI 8:45
Marci McCarthy, CEO and President, T.E.N. Inc. Moderator
Amanda Fennell, CISO, Relativity
Joey Johnson, CISO, Premise Health
Ricardo Lafosse, CISO, The Kraft Heinz Company
CISO Panel: It’s the End of the World as We Know It (And I Feel Fine)

 

 

Our culture has been through so much this year with the pandemic, and organizational cybersecurity has not been an exception. Massive cloud adoption, remote workforces, digital learning, security concerns with home devices, the Death Star destroying Alderaan—wait, maybe that last one didn’t actually happen. As much as it’s felt like the world is ending for our current security platforms, in reality we are poised to make more strategic security decisions with improved controls and processes like never before. Once we step back and take a new perspective as we examine our security situation and where it can go, we may realize we’re feeling fine about what’s coming next. Join our conversation as we discuss how to take advantage of this opportunity to make real cybersecurity improvements in a time of world-shaking changes that will allow our organizations to seize a better tomorrow.

01 FRI 9:30
Derek Milroy, Enterprise Security Architect
What we all end up Implementing anyway

 

 

This talk will discuss a dozen security processes we all end up implementing regardless of the Control Frameworks we utilize or any compliance mandates we have to fulfill (PCI, SOX, etc.).

02 FRI 10:15
Dr. Phil Polstra, Professor of Digital Forensics, Bloomsburg University
What is the extent of your Ext4 Filesystem Knowledge?

 

 

Attendees will learn more about the latest updates to the Linux ext4 filesystem (mostly commonly used Linux filesystem) including one of the most confusing features know as extents.

TUTORIAL SAT 9:30
Chris (Sidragon) Roberts, Geek,  Hacker, Hilbilly Hit Squad
All Your Votes Are Belong To…

 

 

02 FRI 15:30
Winn Schwartau, Chief Visionary, SAC Labs
AI Ain’t So Smart,  Eh?

 

 

Humans interact with AI-based security daily, but do the answers AI comes up with work equally well across all cultures? Why do some AI security systems make puzzling or incorrect decisions and how can we develop a framework for measuring and quantifying this phenomenon across cultures? Indeed, the development of hostile AI (vis a vis GANs, required for accelerated learning) is rapidly changing the attacker’s toolkit. The concepts range into the anthro- piece of the triad with “deep faking”, where truth may have become a ‘fuzzy’ term.

In this talk, we examine AI’s big data bias as the root of error in cyber-kinetic systems and how that bias manifests itself through different cultural lenses.

01 SAT 9:30
Nick Selby, Chief Security Officer, Paxos Trust Company
Tech Debt Burndown: Kill It With Fire

 

 

All of us have infrastructure and applications we’ve inherited from a team that inherited it from a team that Inherited it from a team… We build atop sands, assuming they are solid, but technical debt is a major source of exploitable weakness; it’s like an attack vector creation engine underneath our great stuff. How do you find it, and what do you do about it – and how can you get it done in the real world, where we all have product and feature demands and urgent timelines?

02 SAT 14:00
George Simonds, President, International Critical Infrastructure Security Institute
The New Cyber Engineer – How Immersive Learning Shapes Solutions Engineering at Industrial Facilities

Workforce development for cyber professionals in the industrialized sectors requires a more diversified, multi-disciplinary approach. With IoT on the horizon the skill demands are even higher. This presentation will discuss the challenge of building a cyber workforce capable of meeting the challenges of protecting converged IT, OT, and IoT in some of the most rigorous environments in the world.
02 SAT 9:30
Dr. Eugene Spafford (Spaf), Professor, Purdue University
This Talk Has No Title

 

 

This is a set of mental exercises to show subtle biases that impact problem solving.

01 SAT 14:45
Dr. Jeff Struik, Principal Cyber Security Engineer, Cyber Strike Solutions,  LLC
CMMC – Why yes,  I would love another cyber security framework!

CANCELLED

 

This presentation will present information about the forthcoming Cybersecurity Maturity Model Certification (CMMC) requirements applicable to the Defense Industrial Base. The cyber-regulatory landscape seems to be continuously changing to address new and changing threats to our nations supply chain. The CMMC intends to address the challenges of the supply chain and defense contractors. We will review what the CMMC is and will also break down what practical implementation looks like. Knowing how to apply the CMMC requirements is just as critical as conducting technical assessments of products received from OEMs or other vendors. We will provide practical approaches to complying with CMMC without breaking the security budget.

Aaron Turner, Founder/CSO, HighSide,  IANS Faculty
How Microsoft Owned Your SaaS – the massive data movement to M365

 

 

Anyone who has moved their email and collaboration back-end to Microsoft 365 needs to know what security risks they’ve inherited and how to manage those risks now and in the future.

02 FRI 11:00
Robert Wagner, Security Strategist, Splunk

Tutorial – Hands On Security Investigations with Splunk

This workshop is designed to expose attendees to real-world scenarios that an analyst might encounter on a daily basis. This workshop presents questions that would be asked as an investigation unfolds and users will use Splunk to answer those questions. The workshop agenda is approximately 3-4 hours. 10:15-14:00 (Friday)

Defense on a Budget: Free Security Tips and Tricks
There is never enough budget or time to solve every security problem an organization faces. However, there are a lot of free or inexpensive tactics and techniques that every organization can leverage to make it harder for attackers to enter your environment. This presentation is a collection of basic tips and tricks learned from security professionals around the world These are tactics that either stop attackers in their tracks, or make it more difficult for them to succeed. You’ll walk away with actionable tips to fill your security gaps and help reduce your attack surface. 14:00 (Friday)

02 FRI 14:00
Aaron Warner, Founder/CEO, ProCircular
“It’s a Trap!” – Privacy, clickbait, and PII in the modern world

Be careful what you click, it might be a trap! Aaron Warner of ProCircular has assembled a diverse group of individuals to discuss what privacy even means in the modern world of online life, social media, and government monitoring. Panelists will take questions from the audience and offer real-life examples of privacy protections and infringement and suggestions on how to better protect yourself.

 

Panelists: Kurt Opsahl, Deputy Executive Director and General Counsel of the Electronic Frontier Foundation
Dr. Doug Jacobsen, Director of Information Assurance Center at Iowa State University
Brian McCormac, Data Security & Privacy counsel at BrownWinnick Law

01 SAT 11:00
Bob West, Managing Partner, West Strategy Group
Identity in the COVID-19 Era

 

 

Co-presenting with Mike Coogan

COVID-19 has fundamentally changed how enterprises function. They moved from a traditional workplace environment to working from home or making alternate arrangements in a very short period of time. This presentation will cover how the right mix of identity solutions can facilitate this and other major technology changes.

01 FRI 13:15
Ira Winkler, President, Secure Mentem
CLOSING KEYNOTE SATURDAY: You Can Stop Stupid

 

 

Currently when a user causes a loss, it is considered an awareness failing. The reality is that it is a failure of the system that allowed an action to result in loss. Applying safety and counterterrorism sciences, Ira will provide a strategy for creating an environment around users that prevents the initiation of losses, and then mitigates losses should a user make a potentially harmful action

01 SAT 15:30
Ron Woerner, Cybersecurity Instructor, Bellevue University
How Not to Suck at Security (or How to Hack your Cyber Career)

 

 

Common questions I am asked as a cybersecurity instructor are, “How do I get a job in cybersecurity and not suck once I’m there?” This session provides answers. You start by hacking your next job and learning what to do and not to do. Learn the traits of a well-rounded security professional, the career triad, and steps for hacking your career. This includes: visualizing your goals, knowing the best path for you, social engineering your next boss, active learning, and keeping your cyber skills sharp. We’ll also discuss how to tell if you or your organization is sucking and what you can (and should) do about it. 
There’s something for everyone in this entertaining and educational talk. 

02 SAT 10:15
Marc Woolward, CTO/CISO vArmour
LUNCH KEYNOTE SATURDAY: Addressing Application Resilience in Today’s Complex, Dynamic Environments

 

 

The speed of digital transformation continues to accelerate, with enterprises transitioning to cloud at a faster and faster rate. However, organizations must still rely on legacy technologies, resulting in diverse infrastructure—new and old—that is more dynamic than ever. This poses a difficult challenge to security teams: how do you minimize operational risk for these complex environments while increasing application resiliency? Join Marc Woolward, CTO and CISO of vArmour, for a discussion on using new world security architectural approaches, such as application relationship management, to regain control of risk in this constantly evolving world.

01 SAT 11:45
Caroline Wong, Chief Strategy Officer, Cobalt.io
CLOSING KEYNOTE FRIDAY: Come for the Mission,  Stay for the Vision

 

 

The internet wasn’t built with security in mind, the world has a massive talent shortage, and we can’t rely on automation to solve everything. What’s happening to the people in this scenario? Join Caroline Wong, Cobalt.io’s head of Security and People, for a unique perspective on the role of humans in cybersecurity.

01 FRI 15:30
xe1phix, Linux Admin, ICS
Tutorial: Secure Linux Networking

 

 

https://gitlab.com/xe1phix/ParrotSecWiki/-/blob/InfoSecTalk/InfoSec-CFP-Submissions/Xe1phix-Securing-Linux-Networking-CFP-_CornCon-2020_-v7.8.txt

See agenda for more details.

TUTORIAL SAT 12:30