Speaker Feature: Karen Cole

www.assuraconsulting.com

@assura_incKaren Cole

Karen Cole is the CEO of Assura, Inc. a cybersecurity consulting firm located in Ashland, Virginia. Her company just celebrated its 11th year in business and is considered in the top 1% of women-owned companies in the United States according to a recent study by the U.S. Women’s Chamber of Commerce. Throughout her 20+ year career, Karen has worked with various executives, boards of directors, and legislators to bring cybersecurity to the executive level and get programs the support and resources they need. Many times, she has helped them work through their own 5 Stages of Grief to get them to embrace their new corporate responsibilities.

From Grief to Enlightenment: Getting the Executive Support for Information Security

Most information security professionals got into the field to enjoy the technical challenges of keeping the hackers at bay. However, as information security has moved into the executive level of organizations, most professionals struggle to get connect with executives and get the support they need for their programs. Karen Cole has been successfully handling the most ardent opponents of information security (think politicians, board members, and C-suite executives) for 16 years getting her clients what they need. This session is focused on real-world actions you can take to get the support and resources for your program. Leave your governance theory at the door. This session is going to get real!

Come see Karen at RVAsec! Register Now.


Speaker Feature: Tyler Townes

Tyler Townes, CISSP@tyler_townes

Tyler works at BlackBerry Product Security as a Security Program Manager and is the lead incident manager during emergency response events. His focus areas include SDLC, sustained engineering, vulnerability management, and risk management across multiple operating systems. He is currently researching pre-acquisition and post-acquisition security processes. In the past, Tyler has been responsible for vetting malware being submitted to mobile app stores, and ensuring that users are properly informed of the privacy risks posed by mobile applications and mobile ad packages.

Let’s build an OSS vulnerability management program!

Does your company use Open Source Software (OSS) libraries in the products that it builds? Do you worry that your customers and company will be exploited because no one in your organization is maintaining those libraries with vulnerability fixes? Let’s do something about that.
During this presentation, we will start from nothing and build a process for identifying the OSS libraries that your company uses in order to build a bill of materials.  We will source threat intel on those libraries, and we will take action to remediate the vulnerabilities in our source code repository so that we can keep our customers and company safe.

Come see Tyler at RVAsec! Register Now.


Speaker Feature: Mike Hodges

Mike Hodges@rmikehodges

Mike Hodges is a senior consultant for the Optiv Attack and Penetration Practice. He has a background in application development and is currently OSCP, Assoc CISSP, and CEH certified. He is currently interested in evasive penetration tactics and techniques and is constantly looking to build new ways to automate attacker evasion.

Hiding in the Clouds – Leveraging Cloud Infrastructure to Evade Detection

Organizational spending on cybersecurity is at an all-time high. From an attacker’s perspective, this means that target networks are becoming increasingly hostile environments to operate in. This has pushed attackers to look for new ways to diminish a defenders ability to identify their activity. The introduction of cloud providers and their associated content delivery networks have provided ample ways to attack and communicate with attack infrastructure while piggy-backing on the cloud provider’s infrastructure and reputation.
Techniques and tactics such as domain fronting for multiple cloud providers, distributed scanning, and leveraging API gateways will be discussed. Also, more nuanced aspects these cloud services will be explored as they sometimes provide many benefits to an attacker’s infrastructure, including encryption. Most importantly, mitigations for these techniques will provided so that defenders can go about better protecting their network.

Come see Mike at RVAsec! Register Now.


Speaker Feature: Simone Petrella

www.cybervista.netSimone Petrella

@simonepetrella

Simone is Chief Cyberstrategy Officer at CyberVista where she leads product development and delivery of cybersecurity training and education curriculums as well as workforce initiatives for executives, cyber practitioners, and continuing education. Previously, Simone was a Senior Associate at Booz Allen Hamilton in the firm’s commercial sector cybersecurity practice focusing on the creation of cyber fusion centers and the integration of cyber security operations. Prior to that, she led the firm’s all source cyber threat intelligence business in the national security and Defense sectors, including intelligence support to both defensive and offensive operations. Simone received her J.D. with honors from Catholic University Columbus School of Law and graduated from Georgetown University with a B.A. in Government and a M.A. in International Law and Policy.

How Do You Measure Expertise? A New Model for Cybersecurity Education.

The industry relies upon a strong and knowledgeable talent base to protect both commercial and national interests, but without a more universal and standardized education model we still have an overall cybersecurity workforce shortage.
This session, designed both for leaders and learners, will explore the current training landscape, describe a model for the new/emerging cybersecurity profession and introduce a career model based on skills/knowledge that are mapped to the field. Participants will leave this session understanding all the tools available for cybersecurity managers to effectively grow the profession from the bottom up, top down, and through the middle via upskilling, reskilling, continuing education and mentoring. They will understand the foundations upon which a framework can be built to address the needs of the individual and the profession as a whole. Finally, participants will recognize the optimal way to balance qualitative measures in the cybersecurity profession (i.e. degree, certifications, etc) and qualitative ones (i.e. continuing education, practice, experience).

Come see Simone at RVAsec! Register Now.


Speaker Feature: Robert Mitchell

Dr. Robert Mitchell is currently a member of technical staff at MITRE. He received the Ph.D, M.S. and B.S. from Virginia Tech. Robert served as a military officer for six years and has over 13 years of industry experience, having worked previously at Sandia National Laboratories, Boeing, BAE Systems, Raytheon and Nokia. His research interests include game theory, linkography, moving target defense, computer network operations, network security, intrusion detection and cyber physical systems. Robert has published 25 peer reviewed articles.

A Game Theoretic Model of Computer Network Exploitation Campaigns

Increasingly, cyberspace is the battlefield of choice for twenty first century criminal activity and foreign conflict. This suggests that traditional modeling and simulation approaches have stalled in the information security domain. We propose a game theoretic model based on a multistage model of computer network exploitation (CNE) campaigns comprising reconnaissance, tooling, implant, lateral movement, exfiltration
and cleanup stages. In each round of the game, the attacker chooses whether to proceed with the next stage of the campaign, nature decides whether the defender is cognizant of the campaign’s progression, and the defender chooses to respond in an active or passive fashion. We propose a dynamic, asymmetric, complete-information, general-sum game to model CNE campaigns and techniques to estimate this game’s parameters. Researchers can extend this work to other threat models, and practitioners can use this work for decision support.

Come see Robert at RVAsec. Register Now.


Speaker Feature: Travis McCormack

@HaknSlack

Travis has 10 years of experience in information security roles. Starting out as a Network Administrator and later SOC Analyst he has built his experience and knowledge up through blue teaming before deciding to try out offensive security. Travis has spent the past 2 years as a penetration tester primarily focused in application security with Cigital/Synopsys and now Walmart.

From Web App to ATM: Why the Basics Matter

This is a technical application security discussion for junior penetration testers or anyone interested in the world of penetration testing. Advanced members of the community are welcome, but the content is geared at newer testers. From Web App to ATM will showcase a penetration test I performed where the only previous work done was web vulnerability scanners that completely missed the iceberg lurking just below the water. In this talk I will cover some “back to basics” of web app security and show real world examples of critical applications exposing these flaws. Unauthenticated APIs, forceful browsing, privilege escalation, and total ownage of ATMs managed by this app are all up for discussion.

Come see Travis at RVAsec! Register Now.


Speaker Feature: Chris Czub

labs.duosecurity.com

@chrisczub

Related imageChris Czub is an information security engineer on Duo Security’s Corporate Security team where he helps keep their employee endpoints and servers monitored and safe.

OS X App Whitelisting Without Losing Your Job

Application whitelisting: it’s easy to say it should be practiced as part of a complete endpoint security practice, but in reality it can be hard to deploy widely without causing friction and frustration across the organization. This talk will look at the tools and processes that enabled Duo’s Corporate Security team to progressively deploy and monitor application whitelisting across their fleet of OS X endpoints.

Come see Chris at RVAsec. Register Now.

 

 


RVAsec 7 CTF

The CTF crew is once again hard at work preparing challenges for this year’s competition. As in the past, the first day of the conference will be CTF prep while the actual competition will take place on Day 2 (Friday, June 8th). Even though it will contain some hard challenges, this is a learning CTF – not just a bash-your-head-against-the-wall competition. As such, there will be plenty of challenges from lockpicking to recon and web exploitation for people of all levels and backgrounds. Additionally, you may choose to compete as an individual or form teams of up to 4 people – there are separate prize categories for both.

You will need an updated Kali machine, but we will provide everything else.

Below is a list of some of the skills/topics that have been covered in previous years.

Entry Level: Primarily aimed at beginners and those with a less technical background, focusing on basic infosec skills and concepts.

  • Rot N encoding
  • Google Fu / OSINT
  • Examining website source code
  • Basic file analysis (eg. file, strings)
  • Trivia

Intermediate: Expect to begin taking a deep dive into the core categories by finding and exploiting vulnerabilities, cracking passwords, etc.

  • Extracting objects from Wireshark dump
  • SQL Injection
  • URL Fuzzing
  • Cracking password hashes (using john, Hashcat, etc)
  • Reverse Engineering and Disassembly

Hard: For our battle-hardened, seasoned CTF players which will challenge competitors to truly think outside the box, crack encryption, exploit binaries, and more.

  • Blacklist filter evasion for SQL Injection
  • Binary Exploitation (buffer overflows and more)
  • Cracking RSA Encryption
  • Multi-step OSINT investigation
  • Hardware

In addition, we are always looking for volunteers to help out with creating and testing all of the problems. If that interests you, please reach out to us at contact [at] metactf.com, and we’ll add you to the mailing list.

We are pleased to announce that CrowdStrike has sponsored the CTF this year!

Finally, good luck to everyone and we’ll see you in June!

 


Speaker Feature: Mark Arnold and Will Gragido

@lotusebhat

Mark Arnold

@eg0sum

Mark Arnold, PhD, GXPN, CISSP, CISM has more than 20 years of technical and senior leadership in the information security space. He’s an advisory board member for OWASP Boston, SOURCE Conference, Boston Application Security Conference (BASC), and InfoSecWorld 2018. He is CISO/Sr. Director at Navisite and most recently a cloud researcher at Optiv.

Image result for will gragidoWill Gragido is a seasoned security professional with over 20 years’ experience in networking and information security. Will’s extensive background is the result of his service as a United States Marine, a consultant with the world renowned International Network Services, Internet Security Systems (now IBM ISS), McAfee, Damballa, Cassandra Security, RSA NetWitness, Carbon Black, Digital Shadows and now Digital Guardian where he leads the organization’s Advanced Threat Protection Product Line as its Director. Lead author and co-author of three Syngress Press titles

Hacking Intelligence – The Use, Abuse, and Misappropriation of Intel for for Fun and Mostly Profit

The appropriation of intelligence (and/or its art) within the security industry has raised the ire of many trained intelligence practitioners in the field. Some bemoan the fact that intelligence has been hijacked for profit with disregard of the discipline’s basic tenets. These tenets include but are not limited to tradecraft, life cycle, theory, analysis, application, and generation of actionable intelligence. On the other side of the aisle, security leaders have been tasked to implement threat intelligence within their respective security programs (maybe *because it has become fashionable to do so). More than not, however, such goals have proven elusive. Further, security leaders who procure intelligence products marketed to them are often left feeling they’ve been sold a bill of goods when those products fail to deliver.
This talk shares the results from conversations between a security expert/professional trained in the field of intelligence and a practitioner/researcher/leader not classically trained in the discipline. We discuss the uses, abuses, and misappropriations of intel with the hopes of forging a better path forward in this subject area. We do this by asking questions like \”What is cyber intelligence,” What does it look like and where is it going,” and lastly, \”How should it be used?”
To be covered:
• Tenets of intelligence
• The discipline of intelligence
• Why has CTI been in the “hype cycle”? Why do people care?
• What does cyber threat intelligence get us? Hacking the discipline

Come and see Mark and Will at RVAsec! Register Now.


Speaker Feature: Ksenia Peguero

@KseniaDmitrieva

Ksenia Peguero is a Sr. Research Lead within Synopsys Software Integrity Group. She has eight years of experience in application security and five years in software development. Ksenia is a subject matter expert in static analysis and JavaScript frameworks and technologies. Before diving into research, she worked in a variety of software security practices including penetration testing, threat modeling, code review, static analysis tool design, customization, and deployment. Over the years, she performed numerous engagements for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Throughout her consulting career, Ksenia has established and evolved secure coding guidance for many different firms, and has delivered numerous software security training sessions. Ksenia speaks regularly at events around the world, such as BSides Security in London, Nullcon in India, RSA in Singapore, and AppSec Europe in Italy. She has also served on review boards of AppSec USA and AppSec EU conferences.

How to REACT to JavaScript [In]Security

According to a StackOverflow survey, JavaScript is the most commonly used programming language on earth. Today just the client-side JavaScript ecosystem has over 50 frameworks available, and JavaScript is successfully conquering the server-side space. The amount of application logic that is executed in the browser is growing every year, which means the attack surface is growing as well. Which security issues are most common in JavaScript applications? Do new frameworks provide the security controls needed to protect the growing amount of client-side code? In this talk we will answer these questions and, as an example, we will look at one of the hottest JavaScript frameworks today – React. We will discuss its new features like components and server-side DOM rendering, analyze React’s security posture and demonstrate existing vulnerabilities.

Come see Ksenia at RVAsec. Register Now.