11:00 - 11:50 A.M.
Securing Your Cloud Network
Thomas Ricardo, Vandis
Today over 40% of enterprise workloads run in the public cloud. Network and security teams must overcome hurdles such as visibility and access control of ephemeral cloud assets in the environment. These teams need to adopt Infrastructure as a Code (IaaC) best practices and begin the process of migrating their change control to adapt to a CI/CD model of deployment. Not only are teams changing what they are working on they must adapt to the way they operate and execute. The session will discuss how to overcome these challenges and provide insights into how to secure your cloud network. Topics will include a discussion on the evolution of cloud networking, lessons learned, and the future of securing hybrid networks. We will focus on role-based access control, the elimination of the edge, SD-WAN integration into the cloud, and cloud networking constructs like Virtual Networks and Virtual Private Clouds (VNets and VPCs). We will also highlight the security concerns and solutions built to help teams adapt to the changing landscape of networking.
Avoiding Server-Side Request Forgery (SSRF) Vulnerabilities in ColdFusion/CFML Applications
Brian Reilly
ColdFusion/CFML remains a popular application development platform for government, commercial, non-profit, higher education, and other industries. My goal for this talk is to raise awareness about what may be a security blindspot for some ColdFusion developers. Server-Side Request Forgery (SSRF) vulnerabilities allow an attacker to make arbitrary web requests (and in some cases, other protocols too) from the application environment. Exploiting these flaws can lead to leaking sensitive data, accessing internal resources, and under certain circumstances, remote command execution. Several ColdFusion tags and functions can process URLs as file path arguments -- including some tags and functions that you might not expect. If these tags and functions process unvalidated user-controlled input, this can lead to SSRF vulnerabilities in your applications. In addition to providing a list of affected tags and functions, I'll cover some approaches for identifying and remediating vulnerable code.
VBS, DLLs, Obfuscation, Oh My! How I Safely Teach Malware Analysis
James Antonakos, Broome Community College
In this presentation I will show how a second-semester, 15-week Malware Analysis course is taught to students with only a single programming course under their belts. Malicious examples of VBS, Javascript, Powershell, EXE, DLL, ASP and more are provided, all culled from actual DFIR investigations. Details are provided on how each type of malware is handled safely, as well as the different tools used during the course, from CyberChef to IDA.
The Truth About Zero Trust: How to Mitigate Cyber Risks
Ted Ede, Rubrik
Every week the news on ransomware attacks gets worse. When you're up against an organized, well-resourced attacker, you need to think again about how your municipality defends against attacks. But when you don't know the blast radius of an attack, whether sensitive data is affected, and how long it may take to recover, often the only option is to pay up. The best defense is Zero Trust - employing security at the point of data. But how do you employ Zero Trust, and how do you put in place an architecture that means your backups truly are immutable?
Attend this session to learn:
- Why you need to think differently about data security.
- Why Zero Trust should be a strategic priority for every organization.
- Best practice for implementing the principles of Zero Trust.
- How to build effective protection against ransomware.
Everything You Ever Wanted to Know About How New York Elections Are Secured but Were Afraid to Ask
Sean Murray and Jeannine Jacobs, NYSTEC
Ben Spear and Michael Haber, NYS Board of Elections
Since the U.S. Government acknowledged foreign intrusion attempts in 2016 and 2020, Election Security has been an increasingly hot topic for discussion. With misinformation and attacks on election trust and integrity appearing in the news and media on a regular basis, understanding the truth about the procedures and protections in place to protect the electoral process here in New York is more important than ever. In a moderated panel discussion, our panel of election and security experts from the NYS Board of Elections and NYSTEC will address the topics below as well as answer questions from the audience:
- Election Infrastructure in New York Security and Oversight of Voting Technology
- County Operations and Systems
- Vote Tabulation and Audit of Results Paper Ballots & Absentee Voting And So Much More!
ASIA Session 5: Cyber Security Resilience
Paper: A Combative approach for enhancing Cybersecurity Resilience: Systemic Synthesis of Industry Risks, Practices and Outcomes
Mehak Bhatia, Vamsi Kongala, Manish Gupta, and Raj Sharman, SUNY-University at Buffalo
Paper: A Theoretical Framework for Customers' Trust Repair following a Data Breach: A Conceptual Model
Zareef Mohammed, Gurvirender Tejay, and Cristian Balan
1:00 - 1:50 P.M.
Ansible for the CDM use case
Ajay Chenampara, Red Hat
The Continuous Diagnostics and Mitigation (CDM) Program provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM technical capabilities laid out by Homeland security lists 4 Phases to this approach. In this talk we'll look at how Ansible can help agencies achieve the CDM capabilities through repeatable, reusable automation.
A Dynamic Process for Minimizing the Likelihood and Impact of Cyber Attacks
Chris Jensen, Tenable
Cyber-attacks, including ransomware and other state-sponsored exploits, continue to increase with no letup in sight. Defending against those attacks is a challenging, but not impossible, task. An effective cyber defense needs to be multi-layered, just like an effective physical security plan. In this presentation, we will highlight the importance of a dynamic risk-based vulnerability management program that focuses on three primary attack paths and will recommend defensive measures to disrupt those attack paths and prevent damaging cyber-attacks. These three attack paths, most commonly used by cyber hackers, are: 1) unpatched known vulnerabilities; 2) Web Application Scanning for dynamic scans and unique fully qualified domain names; and 3) insecure Active Directory (AD). In this session, we will provide recent real-world examples that demonstrate how the failure to secure these attack paths has resulted in damaging cyber-attacks. Highlights include:
- How to overcome vulnerability overload with a risk-based approach to Vulnerability Management that enables you to concentrate on the small percentage of vulnerabilities that actually pose cyber risk
- Why Directory Services, such as AD, are the center of trust and a critical part of establishing a "Zero Trust" environment
- How a dynamic AD security solution enables you to see all of your vulnerabilities, predict which pathways attackers may target, and act to detect, shut down and prevent attacks
- Why employing secure configurations and other safeguards to harden your environment can minimize the damage and prevent data exfiltration
- Why using a dynamic tool to measure, continuously monitor, and address vulnerabilities is essential to prevent cyber-attacks.
Gotcha! How to Avoid the Top 10 Pitfalls in Security Questionnaires, Cyber Insurance Applications, Privacy Policies, and more
Mike Semel, Semel Consulting LLC
F. Paul Greene, Harter Secrest & Emery
Hackers aren't the only risk a security team faces. The sheer volume of security questionnaires, self-assessments, applications, and other forms the security team is handed or handles can often get in the way of actually implementing the controls required to keep a system safe. On top of that, these forms can be full of "gotcha" questions that can create more risk for an organization than an attacker or unpatched vulnerability can. This discussion will use real world examples of these "gotcha" questions and offer proven strategies for mitigating the ever increasing "gotcha" risk. It will address the vendor due diligence process, insurance applications and policy terms, and even the risk inherent in an organization's privacy policy, where promises and disclosures can both help and hurt an organization. Participants will leave with a better understanding of these often-hidden risks and a set of actionable principles they can use to mitigate them.
Cybersecurity Culture: Effectively Promoting Security Throughout an Organization
Dylan Famolaro, iSECURE, LLC
This session will focus on the dynamics behind Zero Trust while highlighting how to get all departments within an organization on board with Cybersecurity. As cybersecurity seems to be looped in as an "IT issue," this session will focus on how to make cybersecurity a priority for all departments and instill basic principles that can be enacted within an organization. Real life case studies and ideas will be shared to allow listeners to takeaway ideas to make cybersecurity exciting in their organization.
How Cyber Insurance Integrates with Technology Companies
Adam Cottini, CrowdStrike
From 2020 to present, ransomware increased in frequency and severity, resulting in significant cyber insurance claims. Insurers modified their underwriting guidelines in 2021 and continue to demand that insureds implement appropriate risk reducing solutions, while at the same time increasing premiums and changing terms and conditions. Key underwriting criteria and controls that we be presented, include:
- Multi-Factor Authentication,
- Endpoint Detection and Response and Managed Detection and Response,
- and Identity Protection.
ASIA Session 6: Insider Threats & Critical Infrastructure
Paper: Compressed Folders as Covert Channels
Namita Madhira, Eric Seaver and Daryl Johnson, Rochester Institute of Technology
Paper: A Critical Analysis of Hardware Trojan
Obioma Nwachukwu, and Sanjay Goel, SUNY - University at Albany
2:10 - 3:00 P.M.
Managing Cloud Computing's Cybersecurity and Information Risk
Dean Maloney, GreyCastle Security
Public and private-sector organizations across every industry have and continued their migration to the cloud in some capacity. Some aren't even fully aware as they are purchasing third-party offerings that exist completely in the cloud but appear to execute locally on their desktop. While cloud computing solutions offer very real and measurable benefits, it also requires a continued analysis and understanding of cybersecurity and information risk.
Join GreyCastle Security for a look at cloud computing and associated cybersecurity and information risks that should be considered. This session will provide the top trends of cloud computing's impact on cybersecurity as well as important considerations for utilizing this architecture.
Managing Business Risks Using Vulnerability Scanning
Diane Reilly, Carson & SAINT
Frederick Scholl, Monarch Information Networks
Vulnerability scanning is a common method to help manage risks, but it hampered by the challenge to make it business relevant. In this presentation we will show how to connect "Tier 2" mission and business process information to "Tier 1" systems and network vulnerabilities. Tier 2 information is collected using Obashi templates and then stored in the scanning tool's database. Using this method, security practitioners can rank vulnerabilities by business impact, thereby focusing limited resources on remediation. Reporting is therefore easier to understand by business leaders. A demonstration will be included using SAINT and Obashi run against a model business organization.
Overcoming Cyber Challenges: How to Respond, Remediate and Collaborate
Allen McNaughton, Infoblox Public Sector
In the unfortunate event of an incident, there are three key challenges to overcome - time to respond, time to remediate and improve collaboration. Working across disparate organizations or with a coordinated attack, these three challenges can become exponentially more difficult. This session will help you better understand how certain technologies can help you reduce your time to respond, remediate attacks, and increase collaboration both within and across an organization.
How You Can Implement Well-Architected 'Zero Trust' Hybrid-Cloud Computing Beyond 'Lift & Shift': Cloud-Enabled Digital Innovation At Scale with Infrastructure as Code (IaC), DevSecOps & MLOps
Yogesh Malhotra, Global Risk Management Network, LLC
Exponential improvements in Cloud Computing architectures and capabilities offer unprecedented speed and agility for global Digital Innovation along with much needed integration of Smart Automation and Cyber Resilience at scale. However, as evident from industry surveys of business and technology executives, most need help in getting up to speed with the rapidly evolving Cloud technology platforms and architectures. Given rapidly accelerating pace and sophistication of global cyber-attacks threatening critical IT and OT infrastructures, advancing beyond "legacy" on-premises and virtualized data centers is not a matter of discretionary choice, but a matter of existential survival. As Silicon Valley-Wall Street-Pentagon Digital pioneer 'born on the cloud' and MIT-Princeton Faculty-SME for Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL), Cybersecurity-Cryptography and Quantum Computing practices, we advance vendor-agnostic product-neutral Network-Centric Cloud Computing applied industrial practices. As Digital Transformation and AI-Cybersecurity pioneers, our US Air Force Research Lab Commercialization Academy ventures such as the New York State IDEA Award Finalist Venture lead industry practices on most optimal integration of AI-ML-DL, Cyber-Cryptographical Resilience Engineering and Quantum Computing. Drawing upon our Big-3 Cloud Computing Network Partner practices with comparative understanding of the leading Cloud Computing Providers and related Cloud Computing implementation and migration strategies, we shall advance technology leaders' understanding about the key Cloud Computing implementation-migration strategies and related technological-architecture issues hence enabling systematic Cloud adoption.
Hardened DevSecOps Pipelines - Secure Your Software Supply Chain
Darren Pulsipher, Intel Corp
When organizations think about security, they focus their scarce resources on securing production environments and data. However, recent attacks on the development process led to infiltration of the software supply chain developers rely on. A modern approach to hardened DevSecOps environments can utilize hardware root of trust, secure build enclaves, attested traceability of build steps and ingredients, and incorruptible CICD pipelines. Find out how to leverage today's technologies to harden your DevSecOps pipeline and help guarantee software integrity.
ASIA Session 7: Forensics Education
Panel: The Changing Face of Cybersecurity Education - Panel of Experts Discussion
Zareef Mohammed and Del Hart - SUNY Plattsburgh, David Atkins - University at Albany, SUNY, Kevin Geil -GreyCastle Security
3:20 - 4:15 P.M.
Centralized Data Protection Gateway
Phaneendra Bhyri and Karl Erber, PruTech Solutions
In this session, we will cover an approach and reference architecture we developed to help a client meet several regulatory and compliance requirements for hundreds of web applications being migrated from on-prem to cloud. We met the goals by centralizing the data protection policies through a highly scalable (built using Docker and Kubernetes stack) and secure gateway that enforced fine grain access control using RBAC and ABAC policies to automatically secure data by applying tokenization, encryption and/or masking. This approach significantly reduced the effort on application team part (in some cases, it took just a few lines of code changes per web app)
Securing APIs in an increasingly connected ecosystem
Bhaskar Agarwal, Nagarro Inc.
As the organizations increasingly need to and are finding new ways to innovate, they need APIs to make the exchange of data that much more refined, easier and more omnichannel as well as contextual. This session will focus on highlighting aspects of creating and curating secure APIs at every step of the way in their development lifecycle:
- Common cyber-attack paths
- Understanding the potential risks with APIs
- Securing APIs during the design
- API-as-a-Product
- Threat Modeling
- API authentication & authorization
- API development & documentation
- Machine-readable formats
- Catching API drifts in implementations
- Data Security
- API Security testing
- Deployment, Discovery, and associated infrastructure:
- API Inventorization: Discovery & cataloging
- Logging & monitoring
- Network security for APIs - message safety and confidentiality
- Runtime protection
At the end of the session the audience will have a better understanding of security considerations at each important API lifecycle stage and can appreciate the associated challenges and concepts more deeply.
At the Heart of the SOC: Apache Kafka & Data Streaming for Cyber Operations
Bert Hayes and Bob Liebowitz, Confluent
Apache Kafka has become table stakes for cloud native applications. Its data streaming approach has made microservices architecture scalable by boosting the speed of integrating disparate assets, while slashing the overhead needed for maintaining constantly changing integration requirements. Because it is an open-source data streaming platform, Kafka has been widely adopted by SOC's responsible for complex, multi-tenant operations in the federal government. SIEM technologies including Splunk, Elastic, ArcSight, and others all maintain connectors to push and receive data through Kafka. This talk will highlight how several SOCs in the federal government have adopted Kafka to streamline their operations.
Zero trust execution in 2022
Matthew McFadden, General Dynamics Information Technology
In this session, we will provide execution insight of Zero Trust architecture beyond the buzzwords and define reality including use cases and strategy for implementation in thwarting adversaries. Zero Trust is a cyber strategy that users, applications, data, and networks should never be trusted and should always be verified. Learn how to develop a defense in depth approach to a zero trust ecosystem and establish an architecture and strategy for the enterprise that leverages automation, AI/ML, and native technologies to drive a prevention-focused transformation model. GDIT will provide insight around Zero Trust execution and strategy supporting various use cases of enterprise Zero Trust implementations across the federal landscape.
How to improve the current state of Industrial Control Security
David Beidelman, Stratascale
We will dive into the world of Industrial Control environments and learn how these systems have become increasingly vulnerable to attack. We answer why this has become such a problem today. A top-level security evaluation approach will then be covered which is the catalyst for building a strong security program for operational technology networks and systems.
ASIA Session 8: Intrusion Detection
Paper: Robust TTP Detection Analytic Development: The Hunt for Invariant Behaviors
Andrew Rendo, Disha Nagasiddappa Somashekar, Zachary Bruno, Chandralekha Bhogadi, Hamza Jaffery, and Sanjay Goel, SUNY - University at Albany
Paper: Contextualizing Vulnerability Priority Through a Threat-Centered Approach
Dominick Foti and Sanjay Goel, University at Albany
Interactive Monitoring
11:00am-3:30pm
*This is an all-day event - Laptop Required
Blue Team Challenge
Trend Micro
Calling all security experts! Imagine that a company is in a critical situation - you're being attacked by cybercriminals. Would you be ready to face the challenge?
Navigate a simulated cyberattack in real-time. The online game is designed to provide hands-on experience tackling real world security problems using threat hunting and breach detection. Whether you are a novice or a skilled security professional, this experience has something for everyone. Compete in teams alongside your peers to run cyberattacks in a controlled environment. Join this fast-paced online challenge and:
- Understand the tools and techniques used by hackers
- How to remediate a vulnerability and Identify infrastructure security gaps
- Plan and implement security measures and respond to threats