2020 Presentations

The stakes have never been higher for organizations to get cyber security right. There are many forces driving this sense of urgency: companies adding new private and public cloud platforms, new products including IoT, geographic regions, apps and web capabilities, not to mention securing the increasing number of remote workers because of the Covid-19 pandemic. With the increase in sophisticated cyber-attacks, security teams are under pressure to protect organizations while under staffed, under-equipped and under budget.

In this session, cyber security thought leader Grant Asplund discusses how businesses of all sizes can adopt a modern approach to cyber security with a consolidated architecture that fully automates preventing attacks before enterprise systems can be breached.

Panelists: Megan Samford, VP, Chief Product Security Officer – Energy Management, Schneider Electric
Maggie Morganti, Staff, Oak Ridge National Laboratory
Jori P. VanAntwerp, VP of Sales at Gravwell

This will be a panel discussion on OT/ICS.

We are accustomed to performing static source code scans, following OWASP Top 10, but what about the proper configuration and setup of API’s. Many API’s we use can be exploited for DOS attacks, have hard coded client secrets in the mobile app for API usage to Broken Object-Level Authorization. 

The COVID-19 pandemic brought with it an abrupt change — a movement to remote work for the majority of knowledge workers. The number of people working remotely more than doubled in the span of a few weeks. Among the many challenges that security organizations faced during this transition was a change in user behavior. The behavior profile of a user working from home — and working alongside all the other members of their household — is a stark contrast to the profile of the same user working from the office. We analyzed cloud and web activity from hundreds of enterprises and millions of users over the past year and identified three trends emphasized by COVID-19 that are a cause for concern for security organizations.

First is the increase in cloud app usage. The number of cloud apps in use in the enterprise has been gradually increasing. The COVID-19 pandemic caused a surge in adoption of cloud collaboration apps, each introducing new security challenges. Are these apps managed? Are they properly configured? Are they handling sensitive data? Is any of that data exposed publicly? Are users using personal apps to handle sensitive data? We highlight both the increase in usage of specific apps and an alarming trend of sensitive company data being stored and processed in personal apps.

Second is an increase in personal usage of managed devices, for gaming, personal web-browsing, installing personal software, and entertainment. Managed devices are also being used to enable remote learning, evidenced by a sharp increase in visits to children’s websites and a dramatic increase in usage of education apps. 

Third is an increase in risky behavior. Users working from home tend to be less careful in their web usage than they are in the office. Risky behaviors include visiting gambling, drugs, piracy, and adult websites. For example, visits to adult websites increased 600% during the pandemic. This risky behavior puts devices at an increased risk of compromise. 

The increase in cloud app usage, sharing of managed devices within a household, and an increase in risky behavior present challenges to security organizations. How do you ensure the users, their devices, and the company’s sensitive assets are protected in this environment? Monitoring cloud and web activity is crucial to securing data and protecting devices and users. Coaching can also help reduce remote risks while still enabling the business to use cloud apps where they are required. We share data that quantifies the effectiveness of such a strategy in correcting user behavior. The main takeaway of this presentation is to understand the three cloud and web usage trends magnified by COVID-19 and identify an effective strategy for mitigating the negative security effects of these trends in your organization.  

Few technologies have had the sheer scale of investment that quantum computation has seen in recent years. In this talk we will describe the four main ways in which ‘quantum’ will affect cybersecurity. Starting with how quantum computers affect classical crypto, discussing “how and when are we gonna break classical crypto?”, we go through Quantum Key Distribution and “is it really workable?”, then via post-quantum cryptography asking “what even is an isogeny?”, rounding off with a look at what and how quantum algorithms could be useful to defenders in the future. 

Panelists: Tim Callahan, Global Chief Security Officer, AFLAC

Michael Phillips, Chief Claims Officer, Arceo AI

A seasoned panel will discuss cyber insurance.

The COVID-19 pandemic reminds us that there is always a risk that things can very quickly go very wrong for humans, with potentially fatal consequences, at scale. Hackers are arguably more aware of this than their peers and thus better equipped to both predict and prevent so-called existential risks—those that end life for all present and future humans. This talk introduces humans with a hacker mindset to the hot new field of existential risk reduction, laying out key issues in existential risk by way of Bostrom’s concept of black balls—technology that invariably or by default destroys the civilization that invents it (from his Vulnerable World Hypothesis paper). Topics include AI, cybernetics, the value of future life, and the role of malware in human evolution.

This presentation considers Russian disinformation in historical perspective. It offers examples of the current threat landscape in the election season, and offers a range of global policy considerations.

Usability versus security is stupid. It forces us to choose one or the other. It excuses security breaches under the guise of usability. It automatically pits us against them, builders against breakers, developers against defenders. A better approach is to view security like usability: they happen where man meets machine. At that moment of meeting, what factors in human psychology and industrial design are at play? And suppose we could pause time. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and provides a case study in applied software design. The future is usability and security. Come learn how to design that future.

Government? Civilian? Researcher? Why not do all of them at once. This presentation provides a perspective on managing dual careers with the Army Reserves and corporate world. Security clearances, specialized training, and switching back and forth between different full time roles present challenges but also opportunities to do what few others will do. When launching a new village at Defcon coincides with taking over a 1600 person organization operating on five continents it is time to leverage the network of personal connections to make things happen.

Panelists: Richard Rushing, CISO, Motorola Mobility

Everyday we continue to see cyber breaches in the news. So what are we missing? 

Get insights into how to talk about risk management at the board level with three different approaches to thinking about risk for the board. 

Security is a wild and scary ride for some, a place of comfort for others. In this presentation, Kevin Johnson of Secure Ideas will discuss how the foundations of everything we do are critical to our success. The talk will explore the ethics, the knowledge, the community, and the pitfalls in each of these areas. Based on the portraits in the stretching gallery of the haunted mansion, many of the things we do are actually based on dangerous assumptions and actions. Kevin will discuss the ways that we can strengthen our foundations and improve the things we do every day.

Most organizations are still at a basic or moderate level of security and having difficulty moving past commoditized tooling, and crowdsourced tactics, techniques, and procedures (TTPs). The issue is even organized crime groups that were largely unsophisticated have gained major traction and are now leveraging new methods for attacking organizations. It’s never been more important to focus on understanding how effective our organization is to attack, and how well an organization can respond to minimize damage. In this talk, we’ll be covering the current state of security for most organizations, and how easy it is to get around “next generation” product lines, and what we need to do to move forward to raise the bar of entry to compromise and limit dwell time.

Since March, “business as usual” has become business uncharted, and the near-immediate transition to remote work brought enough challenges to upset any IT director. This presentation will unveil data on how COVID-19 impacted enterprise cybersecurity and what IT professionals can do to prepare for the uncertain future.

• How prepared companies were transitioning to WFH
• Which WFH challenges were the most worrisome
• How the pandemic impacted organizations’ bottom line
• How IT leaders’ confidence in their security posture compared to their actions
• What security threats are on the rise today
• How managers, directors, and CISOs each responded to WFH challenges
• How small, medium, and large businesses fared in the transition to remote work
• Next steps to secure organizations for long-term remote work

All too often security teams put in place security controls and just assume that they’ll work, trusting that the processes continue to be executed and people are at their most diligent. Larry will discuss methods for proactively verifying that your security controls continue to be effective over time.

Security widgets produce lots of noise, in that they show you lots of useless metrics. Boards and leadership in the business want to see ‘progress’ and some sort of measurement of ‘getting better’. The fact is many companies and experts struggle to create and measure meaningfully. I’ll show you how.

Why management should care about protecting digital data post COVID 19.

I will walk through how a modern day application can achieve a full software as a service infrastructure using AWS (ECS Fargate, RDS, ALB, Route53, CloudMap, S3, CloudFront) in an enterprise manner. This approach has no hosts to manage at all, drastically reducing all security issues, maintenance, upgrades and downtime, while being able to auto scale and self heal from most issues. I will cover the AWS infrastructure services and concepts related to security, scale, lack of maintenance and automation.

Our culture has been through so much this year with the pandemic, and organizational cybersecurity has not been an exception. Massive cloud adoption, remote workforces, digital learning, security concerns with home devices, the Death Star destroying Alderaan—wait, maybe that last one didn’t actually happen. As much as it’s felt like the world is ending for our current security platforms, in reality we are poised to make more strategic security decisions with improved controls and processes like never before. Once we step back and take a new perspective as we examine our security situation and where it can go, we may realize we’re feeling fine about what’s coming next. Join our conversation as we discuss how to take advantage of this opportunity to make real cybersecurity improvements in a time of world-shaking changes that will allow our organizations to seize a better tomorrow.

This talk will discuss a dozen security processes we all end up implementing regardless of the Control Frameworks we utilize or any compliance mandates we have to fulfill (PCI, SOX, etc.).

Attendees will learn more about the latest updates to the Linux ext4 filesystem (mostly commonly used Linux filesystem) including one of the most confusing features know as extents.

Humans interact with AI-based security daily, but do the answers AI comes up with work equally well across all cultures? Why do some AI security systems make puzzling or incorrect decisions and how can we develop a framework for measuring and quantifying this phenomenon across cultures? Indeed, the development of hostile AI (vis a vis GANs, required for accelerated learning) is rapidly changing the attacker’s toolkit. The concepts range into the anthro- piece of the triad with “deep faking”, where truth may have become a ‘fuzzy’ term.

In this talk, we examine AI’s big data bias as the root of error in cyber-kinetic systems and how that bias manifests itself through different cultural lenses.

All of us have infrastructure and applications we’ve inherited from a team that inherited it from a team that Inherited it from a team… We build atop sands, assuming they are solid, but technical debt is a major source of exploitable weakness; it’s like an attack vector creation engine underneath our great stuff. How do you find it, and what do you do about it – and how can you get it done in the real world, where we all have product and feature demands and urgent timelines?

This is a set of mental exercises to show subtle biases that impact problem solving.

CANCELLED

This presentation will present information about the forthcoming Cybersecurity Maturity Model Certification (CMMC) requirements applicable to the Defense Industrial Base. The cyber-regulatory landscape seems to be continuously changing to address new and changing threats to our nations supply chain. The CMMC intends to address the challenges of the supply chain and defense contractors. We will review what the CMMC is and will also break down what practical implementation looks like. Knowing how to apply the CMMC requirements is just as critical as conducting technical assessments of products received from OEMs or other vendors. We will provide practical approaches to complying with CMMC without breaking the security budget.

Anyone who has moved their email and collaboration back-end to Microsoft 365 needs to know what security risks they’ve inherited and how to manage those risks now and in the future.

This workshop is designed to expose attendees to real-world scenarios that an analyst might encounter on a daily basis. This workshop presents questions that would be asked as an investigation unfolds and users will use Splunk to answer those questions. The workshop agenda is approximately 3-4 hours. 10:15-14:00 (Friday)

Defense on a Budget: Free Security Tips and Tricks
There is never enough budget or time to solve every security problem an organization faces. However, there are a lot of free or inexpensive tactics and techniques that every organization can leverage to make it harder for attackers to enter your environment. This presentation is a collection of basic tips and tricks learned from security professionals around the world These are tactics that either stop attackers in their tracks, or make it more difficult for them to succeed. You’ll walk away with actionable tips to fill your security gaps and help reduce your attack surface. 14:00 (Friday)

Be careful what you click, it might be a trap! Aaron Warner of ProCircular has assembled a diverse group of individuals to discuss what privacy even means in the modern world of online life, social media, and government monitoring. Panelists will take questions from the audience and offer real-life examples of privacy protections and infringement and suggestions on how to better protect yourself.

Panelists: Kurt Opsahl, Deputy Executive Director and General Counsel of the Electronic Frontier Foundation
Dr. Doug Jacobsen, Director of Information Assurance Center at Iowa State University
Brian McCormac, Data Security & Privacy counsel at BrownWinnick Law

Co-presenting with Mike Coogan

COVID-19 has fundamentally changed how enterprises function. They moved from a traditional workplace environment to working from home or making alternate arrangements in a very short period of time. This presentation will cover how the right mix of identity solutions can facilitate this and other major technology changes.

Currently when a user causes a loss, it is considered an awareness failing. The reality is that it is a failure of the system that allowed an action to result in loss. Applying safety and counterterrorism sciences, Ira will provide a strategy for creating an environment around users that prevents the initiation of losses, and then mitigates losses should a user make a potentially harmful action

Common questions I am asked as a cybersecurity instructor are, “How do I get a job in cybersecurity and not suck once I’m there?” This session provides answers. You start by hacking your next job and learning what to do and not to do. Learn the traits of a well-rounded security professional, the career triad, and steps for hacking your career. This includes: visualizing your goals, knowing the best path for you, social engineering your next boss, active learning, and keeping your cyber skills sharp. We’ll also discuss how to tell if you or your organization is sucking and what you can (and should) do about it. 
There’s something for everyone in this entertaining and educational talk. 

The speed of digital transformation continues to accelerate, with enterprises transitioning to cloud at a faster and faster rate. However, organizations must still rely on legacy technologies, resulting in diverse infrastructure—new and old—that is more dynamic than ever. This poses a difficult challenge to security teams: how do you minimize operational risk for these complex environments while increasing application resiliency? Join Marc Woolward, CTO and CISO of vArmour, for a discussion on using new world security architectural approaches, such as application relationship management, to regain control of risk in this constantly evolving world.

The internet wasn’t built with security in mind, the world has a massive talent shortage, and we can’t rely on automation to solve everything. What’s happening to the people in this scenario? Join Caroline Wong, Cobalt.io’s head of Security and People, for a unique perspective on the role of humans in cybersecurity.

https://gitlab.com/xe1phix/ParrotSecWiki/-/blob/InfoSecTalk/InfoSec-CFP-Submissions/Xe1phix-Securing-Linux-Networking-CFP-_CornCon-2020_-v7.8.txt

See agenda for more details.