Showing: 1 - 10 of 32 RESULTS
We Broke the Code – Now Let’s Rewrite the OS!

We Broke the Code – Now Let’s Rewrite the OS!

Women have made great strides since we entered the workforce. We have a foot firmly in the door, and are scrambling for seats at the table. Now that we are in the system, it’s painfully obvious that the rules weren’t written with our requirements in mind and the code is woefully outdated.

How do we adapt the mad skills we developed to break into a male dominated industry, to find our niche and encourage more women to join the ranks? Are we going to settle for minor bug fixes and a superficial graphics refresh, or are we going to work together to rewrite the operating system?

We may not be able to accomplish everything at once but we can do something at once. We can start by re-programing ourselves, open-sourcing that code, and building a self-healing network and an operating system that is resilient enough to support our growing community. Let’s get started now!

Ethics in Social Engineering – Destroying the Target is Not the Goal

Ethics in penetration testing and specifically social engineering is a topic that is rarely addressed and frequently left up to the individuals involved. What is the difference between morals, ethics, and culture? Why do those distinctions matter. This presentation discusses best practices and the potential adverse impacts of unethical behavior. Why should the Social Engineer care about the target and why should the client care about the Social Engineers ethical values and approach.

Is it time to think about Incident Response differently?

While so much in the threat landscape is changing, why have our Incident Response processes have stayed the same? They have not adapted to the latest threats, which can put organizations at risk. This talk will present conclusions from doctoral research on the implementation of double-loop learning as a way to improve the incident response process. The presentation discusses the success of incorporating learning loops into IR cycles. Incident response is traditionally taught as a single loop learning cycle, but research shows double-loop learning can help limit or mitigate the extent of new issues and includes constant learning at each phase.

Hacking Humans: Addressing Vulnerabilities in the Advancing Medical Device Landscape

As technology advances, the health care critical infrastructure sector comprises much of the potential attack surface of the national security landscape. Medical devices are being fitted with “smart” technology in order to better serve patients and stay at the forefront of health technology. However, medical devices that enable connectivity, like all other computer systems, incorporate software that is vulnerable to threats.

Medical device recalls increased 126% in the first quarter of 2018, mostly due to software issues and vulnerabilities. Abbott and Bayer, among other medical device companies, had recalls on devices based on weaknesses discovered by both government security entities and academic institutions. These devices, which included pacemakers, infusion pumps, and MRI machines, were found to have vulnerabilities ranging from buffer overflow bugs to the presence of hard-coded credentials that easily lent to unauthorized access of proprietary information.

A breach of any one of these devices could compromise data confidentiality, integrity, and availability, as well as patient safety. In order to mitigate these types of vulnerabilities, the FDA has issued a guidance, as well as a vulnerability scoring system, in order to assess impact. This system assesses the attack vector, the complexity, risk and severity of both patient harm and information compromise, and the remediation level. By utilizing a more rigid system along these guidelines, there is hope that the threat of a medical device attack will be diminished.

This talk will explore some of the past and current vulnerabilities facing the medical device industry, and the steps that the FDA is taking to mitigate these risks.

Please don’t hate me, but I need to social engineer you now.

The “ether sheet”, also known as the “blood/brain barrier” is a sheet that covers the face of a patient in surgery. While it is practical for sterilization, it also helps facilitate a surgeon to make the cut. While all doctors make an oath to “do no harm,” for some, they need to do some harm before thorough healing can happen. Similarly, for social engineers we need to do some harm in order for security awareness to advance. However, there is no defined blood/brain barrier for social engineering. Without one, social engineers are vulnerable to feelings of guilt and remorse even though they are working for the greater good. Those feelings can prevent a good social engineer from being a great social engineer. This research explores how to build one’s own social engineering blood/brain barrier so that social engineers can protect themselves in their efforts to better protect others.

Hacking the signals: From a Practitioner to Leading Security Professionals

As a high performing individual contributor, if you want to succeed as a leader, is the answer to fit in with “management”, the status quo and lose your own sense of identity in the process? Or can you carve out a great niche your authentic self, lead a security team and still be you? How you move up without compromising yourself?

Transitioning from being a security practitioner to be a leader of a security/ technical team is a path that meanders through insecurities, values, and ultimately growth. It is often about embarking on the unknown where you discover new abilities and qualities like the power of a personal advisory board and fast-fail-forward. For me it is profoundly important to help others take on this challenge and power them to succeed. I will share my personal story, provide guidance, the do’s and don’ts and (look to) create dialogue and inspiration.

Automating security operations in the Cloud

Security of assets can be a big challenge whether you are in the Cloud or in the on-premises environment. With the Cloud, you gain the flexibility to Automate security operations due to well-integrated service. In this session, we will discuss how you can achieve security goals in an organization through the use of Cloud Security best practices.

Exploiting Web Apps: Hands-On

Learn attack techniques in a fun, CTF-style hands-on workshop. Participants will attack on Web applications with: command injections in Bash, PowerShell and ImageMagick; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation, and exploit Drupal and SAML. We will also implement network defenses and monitoring agents. We will use Burp, Splunk, Snort, and simple Python scripts.

Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.

Students must have a computer with a Web browser and Java. For some projects you will need a Linux or Windows virtual or cloud machine.

All project instructions and materials are freely available online.

Status: Ready – Preparing for your next Infosec Role

What happens when you are tired of your current InfoSec role, experience an unexpected layoff or if you would like to move on or up in your career? Instead of waiting to land a new job to learn new skills you can already be getting a head start on being the perfect candidate for your next role! This talk will discuss self-learning and taking the initiative to learn new skills on your own time for free or at a discounted price. I want to encourage others not to wait for their employer, university or a Bootcamp to get new skills. I will be providing resources and strategies that can be used to advance in your InfoSec career. Key factors to advancing in your InfoSec career include Never stop learning, your future job title, networking, and investing in yourself. After this talk, you will gain the confidence and the resources to prepare for your next InfoSec role.

Web Application Penetration Testing: An Introductory Workshop for Developers and Security Professionals at All Levels

In this completely hands-on workshop, you will get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you will use the Burp Suite tool, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you will also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 list. I will provide you with a vulnerable website, and you will uncover security issues in it even if you have never done this before!

It will have a pinch of Agile Methodology, DevSecOps and CI/CD pipeline.