Showing: 1 - 10 of 21 RESULTS

Hacking the signals: From a Practitioner to Leading Security Professionals

As a high performing individual contributor, if you want to succeed as a leader, is the answer to fit in with “management”, the status quo and lose your own sense of identity in the process? Or can you carve out a great niche your authentic self, lead a security team and still be you? How you move up without compromising yourself?

Transitioning from being a security practitioner to be a leader of a security/ technical team is a path that meanders through insecurities, values, and ultimately growth. It is often about embarking on the unknown where you discover new abilities and qualities like the power of a personal advisory board and fast-fail-forward. For me it is profoundly important to help others take on this challenge and power them to succeed. I will share my personal story, provide guidance, the do’s and don’ts and (look to) create dialogue and inspiration.

Automating security operations in the Cloud

Security of assets can be a big challenge whether you are in the Cloud or in the on-premises environment. With the Cloud, you gain the flexibility to Automate security operations due to well-integrated service. In this session, we will discuss how you can achieve security goals in an organization through the use of Cloud Security best practices.

Exploiting Web Apps: Hands-On

Learn attack techniques in a fun, CTF-style hands-on workshop. Participants will attack on Web applications with: command injections in Bash, PowerShell and ImageMagick; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation, and exploit Drupal and SAML. We will also implement network defenses and monitoring agents. We will use Burp, Splunk, Snort, and simple Python scripts.

Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.

Students must have a computer with a Web browser and Java. For some projects you will need a Linux or Windows virtual or cloud machine.

All project instructions and materials are freely available online.

Exploiting Data Subject Access Rights under New Privacy Laws

The ability to request access to all the personal information a company has on an individual under new privacy laws such as the GDPR and CCPA has created new attack vectors for social engineering. These personal data access requests are usually managed by legal or compliance teams with minimal security review, increasing the potential for successful phishing, OSINT, and “legal DDoS.” This talk will discuss the personal data access options required in different regions, how most companies respond to data access requests, and the most effective exploits for privacy vulnerabilities. We’ll explore the psychology driving corporate responses to requests and ways these emotions can be exploited, as well as the most likely targets for a weak privacy program. A cheatsheet with key sections of the laws you need to know for successful exploits will be included.

Hacking Modern Webapps

Web applications power everything, and penetration testers/red team members need to know how to use, and abuse, the new technologies that modern web apps are using. This talk will cover more modern web application features like web application local storage, Cross Origin Resource Sharing, and WebSockets from a penetration tester’s perspective.

Attacking & Defending AWS S3 Bucket

In the recent past, we have seen various well-known organizations encountered AWS S3 bucket data leak exposing millions of customer records and confidential corporate information. Hackers enumerate and try to find out publicly accessible S3 buckets because it’s like public share with juicy information. In most of the cases, it was seen that excessive permissions and misconfiguration were the main reasons for data exposure. In the run to get the most benefit of cloud, security considerations are avoided or ignored leaving S3 bucket exposed. Though Organizations are working hard to secure data in the cloud more efforts are required to put in place to make sure people, process and technology work hand in hand to protect data in the cloud. In this talk, the audience will learn to enumerate public S3 buckets, gain access to them through open sources tools. Further, they will be demonstrated to exploit READ, WRITE, READ_ACP, WRITE_ACP or FULL permissions on buckets/objects to download sensitive information or upload unintended content. Following, the AWS security tools, services and features will be recommended to secure and restrict S3 buckets. The emphasis is on customer responsibilities, so that they understand importance of their role in securing S3 and circumvent misconfigurations.

“Ain’t Nobody Got Time For That!”: Understanding Algorithmic Game Theory and Price of Anarchy

As cyber becomes the new battlefield for the lowest levels of criminal activity, much of our cyber defense posture as a community is built on Anti-Virus (AV) signatures (and other alert based systems), and policy. What do we know about the people/entities we are protecting ourselves against? In this game of cyber chess, how do we know what move to make next? There is a mathematical model of study that is growing in popularity in the Computer Science community called Game Theory. Algorithmic Game Theory could help advance algorithmic systems to identify malicious activity BEFORE it affects a network (being proactive vs reactive) by using strategic decisions based on the interactions of rational decision makers. But what about negligence in following policy as a kind of insider threat? Price of Anarchy (PoA) is a subset of Game Theory that analyzes and attempts to measure how much a system can be degraded by selfish behaviors.

This talk is for everyone looking to crack the egg of cyber defense and stop the Whack-A-Intrusion game and asks how we can use Game Theory to create proactive solutions in the technical and psychological realm of cybersecurity. We will discuss what Game Theory is, how it is being used today in Cybersecurity, and then attempt to apply a non-cyber principle (PoA) to further calculate if the changes we are making in cyber defense is actually helping us become more secure (or if it is just lip service). This talk will NOT tell you the best AV to use. The purpose is to show you a different way of thinking about defense decision making, down to the employee/policy level.

Sneaky Wi-Fi Networks Stealing Your Passwords

Sneaky Wi-Fi Networks Stealing Your Passwords

Can you trust the Wi-Fi networks you connect to? This talk will briefly discuss an incident triage that was conducted after two employee’s laptops, connected to a hotel’s wireless network, were found to be attempting connections to an IP address (on the internet) via SMB. This sort of activity is generally viewed as suspicious as hackers can use it to capture NTLM password hashes. Once root of the suspicious network traffic is relieved, a proof of concept attack will be explained and demonstrated. It will show how easily connecting to Wi-Fi can lead to sending your computer’s username and NTLM password hash to an attacker.

Mythbusters: Cyber Threat Intelligence Edition

Cyber threat intelligence (CTI) is a powerful tool to enable organizations to make better decisions. But too often, common myths and misconceptions about it prevent analysts from making it as effective as it could be. This talk will discuss commonly-believed untruths about CTI while helping the audience understand how they can use CTI to support better decision-making and improved defenses. The audience will take away a richer understanding of CTI and why they should care about it, while being empowered to go back to their teams and help others understand its value as well.

CTI AfterDark

“Beauty may be dangerous, but intelligence is lethal.” Bad guys everywhere experience the pain of burning their infrastructure due to being spotted by defenders. Cyber Threat Intelligence is one of many strategies defenders use to make it harder for bad guys to be bad. Cyber Threat Intel Analysts are a group of dedicated professionals that play a wicked meme game but also sniff out badness on the internet for their employer. In this talk, I’ll share a typical day in the life of a Cyber Threat Intelligence Analyst. Learn how CTI operates to better understand how you can interact with and leverage an integral team in your enterprise. Get some CTI techniques you can use in your everyday life and even at your workplace! If you’ve ever been curious, catch a glimpse into the secret world of CTI AfterDark.