Day 2 - June 6, 2018

June 6 - 11:00am-11:50am

Case Studies

Mobile Application (In)Security, and How it Effects Everyone

Mohsan Farid - CISSP, CSSLP, LPT,CEH, CPT, CNDA, FITSP-A, JANUS Associates

This discussion  looks at the current state of mobile applications, their design and their (In)security.  Focus areas include the current state of insecurity; the top ten mobile application risks; three case studies, and the path to securing mobile applications.  The case studies include  1)  Electric Utility: Gaining access from their mobile app into the homes of millions of people to see if the residents were home and turn on/off their appliances, and disable their security systems;2) Banking: Going in via a mobile app, and being able to view the balances of other customers, and their private information on devices, including PII; and 3) Popular Children's Application: Using meta data within photos uploaded from the app to triangulate children's location, and replacing the photos that were originally uploaded with others.    The case studies will be followed by a discussion on the direction mobile needs to go in order to create secure applications.   


Can Big Brother Look/Hear Into My Mobile Device?

Steve Treglia, Cordium Presentation

Surely, the government can't see or hear what transpires by voice or text on my mobile devices, right? This lecture will analyze the current technological capabilities allowing such access and the legal authorities that permit or prevent such access -- from law enforcement's attempt to crack the encryption on the phones possessed by the San Bernardino attackers, to the ability to force device users to give up passwords or encryption keys, to some interesting possibilities for conducting surveillance on devices such as Alexa or Home.

Threat Landscape

The 2018 Verizon Data Breach Investigations Report (DBIR): Understanding the Threats you Face

Christopher Novak, Verizon

All organizations find keeping up with the changing cyber threat landscape tough. The Verizon 2018 Data Breach Investigations Report (DBIR) can help. It's a widely respected report that provides detailed information on the threats governments and other organizations face and how they can mitigate them.     Where many other reports are based on surveys, the DBIR is based on analysis of real security incidents. Chris will provide insight into current cyber threat trends so your organization can effectively prepare, identify and respond;address moving from a reactive perimeter approach to a proactive asset-centric approach to better protect your organization; and share the results of the 2018 DBIR, now in its 11th edition, and how your organization can learn from the analysis.

Risk & Resiliency

Don't Set Your House on Fire: How Smart Cyber Communications Planning Keeps You Out of Trouble

Loren Dealy Mahler, Dealy Mahler Strategies, LLC Presentation

The past year was rough for cybersecurity professionals. With a wave of high profile data breaches making headlines, companies are finally beginning to realize that there is more to incident response than just remediation, and that the cost of an incident can sky rocket with just a few missteps.     The most common misstep, and one of the biggest drivers of both negative headlines and cost, is the way you communicate before, during and after an incident. Far too many companies overlook cyber communications until it's too late.  This session will look at: 5 things every cyber professional should know about smart cyber communications; specific steps you can take now to increase organizational resiliency and avoid being the next major headline; and review case studies from the past year of who got it right and who got it wrong.

Cyber Defense Tactics

Combating Network-Based Attacks with Software Defined Perimeter

John Parmley, Safe T

Organizations have been exposing services (such as HTTP/S, RDP and APIs) to the world in the same way for years. While enterprises may be adding several layers of security, as long as they have fixed perimeter models, hackers will continue to infiltrate external barriers and bring down services using DDoS or phishing attacks.     Software Defined Perimeter (SDP) employs the principle of "what you can't see, you can't hack." By exposing services on-demand and only for authenticated users, SDP hides organizations' critical services from the internet until access is required.    Software Defined Perimeters offer enterprises the ability to deploy perimeters that are invisible and inaccessible to "outsiders" but just as important, can be deployed anywhere - on the internet, in the cloud, at a hosting center, on private corporate networks, or across any and all of these locations.


Session 5: Blockchain

Paper: Challenges and Opportunities for Auditing with Blockchain


June 6 - 1:00pm-1:50pm

Case Studies

Cybersecurity 101

Andrew Dolan, Multi-State ISAC

Princess Young, U.S. Dept. of Homeland Security

In this session, we will discuss the basics on how we as individuals can protect ourselves and our organizations online.  We will cover the top threats facing the government sector in 2018, real life examples of these attacks, and the free resources that governments and individuals can use to combat and protect themselves.


Panic or Prepared? How to be Ready for an IT Compliance Audit

Mike Semel, Semel Consulting

Rose Ketchum, Semel Consulting

Picture a 3-legged stool. It can't stand if one of the legs is missing. Now picture a cyber security or compliance program as a combination of policies, procedures, and evidence. Like the stool, your program won't stand up to an audit or investigation unless all three are in place. Learn what you can do to protect your organization, your career, and your ability to sleep the night before an audit. This session will take you through a simple system any business, non-profit, government, school, or university, can use to prepare for an audit or investigation. You will leave this session with proven steps you can take as soon as you get back to the office.  

Threat Landscape

Episode 1: Insiders and Empires

Albany FBI

Topics to discuss will be FBI Albany casework on insider-threat driven intrusions, nation state sponsored trends, and the benefits of incorporating FBI into the incident response and threat intelligence process.

Risk & Resiliency

Don't Let Social Media Sabotage Your Security

Todd Brasel, NYSTEC  Presentation

Michele Warner, NYSTEC

Social media is a necessary part of today's business environment. The use of social media by your employees can have unanticipated effects on the security and privacy of your organization. Comments and images posted by employees from different levels in your organization, combined with other publicly available information, can reveal important clues about organizational plans and secrets to your competitors. A social media policy can mitigate risk by defining appropriate use of social media by employees and integrate with your overall security plan. This presentation will use real world examples to help you understand the types of security threats that unrestricted social media use can present to your organization. We'll cover key considerations and tips that you can use to develop your own social media policy.

Cyber Defense Tactics

Struts2 and You - The Story of the Worst Breach in History

Arshan Dabirsiaghi, Contrast Security Presentation

After a flaw in the widely used, open source, Apache Struts 2 framework was disclosed by Apache on March 6, an exploit of that vulnerability was released the very next day, March 7, 2017. If you run web applications on the internet, then you most certainly have been or are still being probed. As we build software at faster than ever speeds with more reliance on open source and third-party components, we're all sharing the same security vulnerabilities. Today, nearly 70 percent of software is made up of third-party libraries or frameworks. Think of software development like you're assembling a car. Most of the parts come manufactured by suppliers, and if a part comes with a defect, you're stuck with it. Similarly, if you have a security vulnerability, then you now own the risk of it, even though you didn't code it yourself.     Now, looking specifically at Struts 2 - it was a relatively popular code, but not as popular as some might have expected. What  many do not realize is that attackers don't need you to be running Struts 2 everywhere to be extremely dangerous, they just need it running in one place. Even though the effects of Struts 2 seem to be dying down, we will likely see more attacks similar in nature down the road.      Leaving this talk, you will be able to better prevent and protect your organization against similar vulnerabilities in the future.


Session 6: Machine Learning

Invited Talk: Machine Learning: What is it, and will it help cybersecurity or is it just another thing to be attacked?

June 6 - 2:10pm-3:00pm


Defining Business Need Vs. Risk

Eric Green, Cyber adAPT

Kirsten Bay, Cyber adAPT

Companies are excited by the potential of IoT to streamline operations. By 2020, more than 7 billion business devices are due to be connected - equal to 10 corporate devices for every person on the planet; yet smart tech does not always add value. By using the IoT for its own sake and connecting everything to the web, companies are building numerous  and possibly weak  links in the network chain that could pose a threat to cyber and physical security.    With the potential to jeopardize network security, data, and physical assets, it is clear that all IoT projects should be scrutinized ahead of implementation.     CSOs should carefully consider whether every IoT device is necessary, or if the benefit versus risk balance is incorrectly weighted. Only after assessment of costs, hazards, and benefits, should IoT devices get the green light -- and, after that, they must be constantly analyzed by detection tools, to ensure any hackers that infiltrate them do not have the opportunity to do any harm. That includes the smart coffee machine.

Security Testing

The White Hat's Advantage: Penetration Testing Tools for Web Application Security

Lenny Halseth, Secure Decisions

White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, where attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve their white box testing using a new open source tool, funded by the Department of Homeland Security. This tool leverages access to the application server bytecode to provide an advantage to the penetration tester working with the development team.

OWASP Code Pulse instruments the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.

Upcoming features and major releases will be discussed, a brief demonstration of the tool will be given, and a question and answer portion will complete the session. 

Threat Landscape

Creating a Security Nerve Center for Incident Response in the New Threat Landscape

Ashok Sankar, Splunk

Jason Schogel, Splunk

Over decades our security tactics have been built based on defined perimeters and a defense-in-depth strategy.  This approach has resulted in tools and products strewn across the agency and creating silos of data and operations. No war can be won by fighting on each of our islands, no war can be won if strategy and execution is not able to adapt. Technology and teams needs to share data and context. Systems and humans need to collaborate and defense needs to adapt.  This is more true in today's increasingly complex landscape than before.    What is needed is a Security Nerve Center - a centralized approach that can not only enable sharing and collaboration but adapt and automate response.  This nerve center will not only help accelerate incident response but prioritize incidents that need attention and also provide prediction to get ahead of threats. In this session you will learn how a Security Nerve Center can help reduce incident response times by 80% or more, reduce analyst fatigue and free them to focus on higher priority initiatives.  You will also learn how this methodology helps:  1)Enrich security data with contextual information to prioritize incidents that need attention; 2)Detect and provide answers to the 'what' and 'where'; 3)Thread user activities and identify information across sessions in tech stacks to trace and pinpoint the 'who'; 4)Wire in context and threat intelligence to understand the 'why' and predict what is next; and 5)Create muscle memory  by codifying and automating institutional knowledge like runbooks to reduce time and resources  for triage and remediation.

Risk & Resiliency

Building the Blueprint for Information Security

Michael Giordano, DynTek Services Presentation

Join us for a discussion on how to simplify the risk management process through defined and prioritized security controls and policy and procedure templates that align with industry standards such as NIST and COBIT 5.  We will review creating security safeguards, incident response plans, and communication plans to enable organizations to avoid, detect and counteract security risks.  We will dive into a simplified blueprint to assess your current state, plan and architect for a future state, remediate and deploy new security controls to strengthen your security process.

Cyber Defense Tactics

Raj Goel, Brainlink International, Inc.



Session 7: Digital Forensics Education Round Table


June 6 - 3:20pm-4:15pm


Hardware Roots of Trust for Mission Critical IoT Applications and their Relevance to Emerging Technologies such as Blockchain and Cryptocurrency

Dan Turissini, SPYRUS, Inc.

Hardware Roots of Trust are vital for mission critical applications such as real time health monitoring of aircraft, power grids, other national infrastructures, telemedicine, and homeland security.  Today's network enabled IoT devices are vulnerable to intrusion, denial of services, and hijacking threats that can escalate to Distributed Denials of Service (DDOS) such as the well-publicized Mirai Trojan horse virus.  SPYRUS will present how Hardware Root of Trust mechanisms provide remote trusted cryptographic module attestation to authoritative services, such as a certificate authority, that provides the highest level of confidence to assure proof of: 1) hardware key generation/ protection and 2) encrypted object destination at a specific FIPS or Common Criteria validated level. The presentation will walk through two specific use cases, derived certificates and IoT credential issuance.  Also to be discussed will be the importance of industry standard cryptographic algorithms and protocols, which have NIST and Common Criteria certification to ensure security as well as mitigation of liability issues.  The presentation will close with a discussion of relevance to evolving IoT deployments such as cryptocurrency and block chain.  Discussion points in this area will include ease of integration, and value-added features for use by blockchain developers and system integrators such as remotely managed local secure execution environments, tamper resistant and tamper evident hardware storage of data encryption and signing keys, and layers of multi-agent authorization / authentication to substantially augment and strengthen the inherent capabilities of blockchain and other emerging paradigms.

Security Testing

Not a Free Lunch - Managing Your Open Source Risks

Peter Chestna,

With 90+% of applications made up of open source, it is the largest unmanaged risk to companies today. Do you have an open source inventory including known vulnerabilities? Do you stay current? Do you monitor for new vulnerabilities? Have you heard of Equifax? If you answered "no" to any of these, we should talk.    No one builds software completely from scratch anymore. The use of open source software is at an all time high. The benefits in terms of time to market are too great to ignore. Open source isn't a panacea though and  too often the incorporated library is orphaned and left to fend for itself. As long as it functions properly, why would I ever revisit it?    In the OWASP Top 10 for 2017, A9:2017 - using components with known vulnerabilities, is probably the most ignored of the items in the list historically.     This session will peel back the covers on the depth of the problem with how open source components are used today. As a case study, we will take a look at the deserialization vunlerability in Apache Commons. We will look at the impact of just this CVE on not only first party code but on the entire open source ecosystem.     A strategy for reducing your current and future risk will be provided. This will involve discussions with engineering leadership to institute a reasonable tech debt repayment plan, as well as things that the application security team can do to help.

Threat Landscape

Proactively Blocking Cyber Threats with an Automated End to End Security Fabric.  What you Need to Know?

David Leinberry, Fortinet

In this session we will discuss the current threat landscape, and  the best way to proactively protect yourself.  It starts with a Sandbox, which on average, has a 98.5% detection rate of malware compared to anti-virus (signature based detection) which on average is only 90% effective (based on independent studies.)   The discussion will cover the importance of having a Sandbox as the nucleus of the solution to automatically and proactively block/quarantine those threats at the mail level.   We will discuss the effectiveness of both cloud and on premise solutions.   In closing, we will review the importance of having a SIEM.

Risk & Resiliency

Digital Ethics?  Learn about It Now, While You Still Have Time

John Santoro, Gartner

Artificial intelligence, drones, and robots are still outside of our workday experience for most of us today.  These technologies raise a host of ethical implications, but why should we think about them now?  In this session we will discuss Digital Ethics, a term that if you don't know it now, you will be forced to learn soon.

Cyber Defense Tactics

Jeff Fawcett, CISCO Presentation

Lets talk about capabilities and best practices, no products.


Session 8: Digital Forensics Education Round Table