David is the Founder and Principal Security Consultant for TrustedSec, who provides information security consulting services for a large portion of the Fortune 1000 space as well as medium-sized companies. Prior to TrustedSec, David was a Chief Security Officer (CSO) for Diebold Incorporated, a Fortune 1000 company located in over 80 countries with over 16,000 employees. David developed a global security program that tackled all aspects of information security. David is considered a thought leader in the security field and has presented at over three hundred conferences worldwide.
RVAsec 2014 Keynote
Chief, Computer Crime Section
Virginia Attorney General’s Office
Gene Fishel currently serves as Senior Assistant Attorney General and Chief of the Computer Crime Section in Virginia Attorney General Mark Herring’s Office. In this capacity he directs prosecutions of computer fraud, identity theft, and child exploitation cases in state courts across Virginia, and serves as a Special Assistant United States Attorney in both the Eastern and Western Districts of Virginia where he prosecutes computer crime cases in federal court. He additionally oversees the office’s recently established Computer Forensics Unit which conducts investigations and computer forensic analyses for criminal cases across the Commonwealth. He also monitors organizations’ compliance with Virginia’s database breach notification laws, drafts legislation for the Virginia General Assembly, trains law enforcement and prosecutors statewide, and educates the public on issues involving computer crimes.
Brian Baskin is a digital forensics professional and incident responder with RSA Security. Brian was previously an intrusions and malware analyst/reverse engineer for the Defense Computer Forensics Laboratory, part of the Defense Cyber Crime Center. For nearly 15 years Brian has worked to research, develop, and train responses to growing network threats. Brian devotes much of his time to researching malware, network protocols, and Linux and UNIX intrusion responses. He has authored numerous books on computer security and developed software to allow for more efficient intrusion and malware analysis. Brian is also a ginger.
Introducing Intelligence into Malware Analysis
Malware analysis is the current en vogue topic for computer security companies and careers. However, many are still approaching malware the same way their forefathers did a decade ago. Malware analysis without intelligence leads to slower responses, duplication of effort, and disparate results for each incident. These issues are mitigated by taking a systematic, layered approach to analysis that can then be applied to your organization’s overall security posture through Free Open Source Software.
David J. Bianco
Before coming to work as a DFIR subject matter expert at Mandiant, David spent five years helping to build an intel-driven detection & response program for a Fortune 5 company. He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents, mainly involving targeted attacks. He stays active in the community, speaking and writing on the subjects of Incident Detection & Response and Threat Intelligence.
The Pyramid of Pain: Intel-Driven Detection & Response to Increase Your Adversary’s Cost of Operations
There’s more to good threat intelligence than lists of domains or IPs, and it’s useful for more than just finding bad actors in your environment. What if I told you that you could use threat intelligence not only to get better at detecting and responding to incidents, but also to make your attackers’ lives significantly more difficult, to drive up the costs of their operations and to potentially make it so expensive to operate against you that they give up? Sound too good to be true?
In this talk, I’ll cover a practical, proven framework for applying threat intel to incident detection and response. The framework’s centerpiece is the Pyramid of Pain. The result of nearly 5 years experience directing the global detection program for a Fortune 5 company, the Pyramid is a blueprint for turning your incident response capability into an offensive weapon to cause pain for your attackers.
Growing up, it was a safe bet that if an object around the house was held together with screws or contained any number of wires, Evan “treefort” Booth took it apart at some point to see what made it tick. In 4th grade, with the help of strategically placed pens, erasers, and a Pop-Tarts wrapper, Evan’s pencil box could quickly be converted into a model rocket launchpad. His Liquid Drano purchases to toilets cleaned ratio is absolutely abysmal. This never-ending supply of curiosity eventually translated into a passion for understanding computers and programming.
Having earned a degree in Digital Media — a nerdy union of design fundamentals and computer programming — from East Tennessee State University in Johnson City, Evan founded his company, Recursive Squirrel, where he has served a wide variety of clients in need of application development and consulting for nearly a decade. When he isn’t organizing 1′s and 0′s, Evan is likely off picking locks with the FALE Association of Locksport Enthusiasts, a lock picking group he co-founded in 2010.
In his most recent project, Terminal Cornucopia, Evan set out to demonstrate how difficult it would be for an attacker to construct lethal weapons in a typical airport terminal after the security screening. After successfully building an arsenal consisting of everything from simple melee weapons to reloadable firearms to a remotely-triggered incendiary suitcase, Terminal Cornucopia garnered international media attention and attracted viewers from nearly every country on the planet.
Make no mistake: the best part about buying a bulky item is, in fact, the huge cardboard box.
Terminal Cornucopia: Demystifying the Mullet
Prevalent Networks Managing Director Jonathan Dambrot, CISSP, works with the leading organizations in the world to help better manage third party and IT related risks. Prevalent develops Prevalent Vendor Risk Manager and provides compliance automation solutions from the cloud with its Prevalent Compliance as a Service. Jonathan received his MBA from The Pennsylvania State University and is currently Vice-Chair of the Shared Assessments Steering Committee, Chair of the SIG Committee, and sits on the Penn State Outreach Advisory Board.
Third Party Risk Management and Cybersecurity
Several recent research reports have identified that close to 80% of data breaches are caused by Third-Party Error. Additionally, The Ponemon Institute recently identified that third party error represented the largest factor in the cost of a data breach. Lastly, recent regulatory and mandate guidance has required most regulated industries to perform Vendor Risk Management as part of their security strategy. If you do not have third party risk management as part of your security strategy you potentially have a major gap in your program. This talk will discuss several use cases as well as strategies to consider in helping manage your third and fourth party risk.
Inga has been involved with specialty insurance coverages since 1993 and brings a wealth of experience with all facets of risk transfer. Her focus includes the strategic management of data privacy and security exposures, with an emphasis on leveraging data-driven risk assessment to build sustainable insurance programs and product profitability. As the leader of the insurance practice group at Risk Based Security, Inga is responsible for a variety of client advisory services including identification of data security and privacy exposures, policyholder risk management support and the development and implementation of cost effective breach response solutions. As a strong advocate for sharing knowledge, Inga has presented at a variety of industry forums and has led many continuing educations sessions throughout the U.S. She currently holds a CIPP/US designation.
Cyber Insurance – Worth the Effort or Total Ripoff?
Have you ever found yourself paying premiums for years, just to be shortchanged by the insurance company when you submit a claim? It’s a common story and one that can leave the impression that an insurance policy isn’t worth much more than the paper it’s written on. But when it comes to transferring risk for a data breach event, cyber insurance can be a powerful and budget-saving tool. This session includes a discussion of how cyber insurance policies can be a benefit to both the security practitioners responsible for keeping data safe and the leaders tasked with minimizing the impact of a data breach. The session will also include an insider’s view of the real value behind this insurance and share strategies for leveraging these policies to your advantage.
Seth Hanford manages Cisco’s TRAC team, whose members use Cisco’s expansive security intelligence resources to detect and respond to threats and generate original research on a wide array of security topics. Prior to this role, he worked for more than a decade in vulnerability and threat intelligence. Between his roles as a Security Analyst for Cisco’s vulnerability database service (IntelliShield) and as an Incident Manager on it’s Product Security Incident Response Team (PSIRT), he has reviewed and scored thousands of security vulnerabilities in a wide range of software products. In 2005 he began contributing to the Common Vulnerability Scoring System v2 working group, and in 2011 accepted a nomination to chair the special interest group tasked with developing CVSS version 3.
CVSS v3 – This One Goes to 11
Software vulnerabilities — love em or hate em, they’re crucial to your job. Likewise, you may have a love/hate relationship with vulnerability classification and severity scoring (like CVSS v2 or any number of proprietary methods). In this talk we will look at statistics and characteristics for thousands of vulnerabilities to see if we can determine what CVSS v2 did wrong, what it did right, and what we (the CVSS v3 Special Interest Group) intend to do to fix it. We will also come away with a better understanding for why systems like CVSS are important to security practitioners, even those who’d rather be popping shells than pushing off patches whose scores are “too low to care about”.
Pete Herzog is the managing director of ISECOM and the lead researcher behind the organization’s “10-gen” research initiative to research and evaluate new ideas at least 10 years ahead of the security industry. Pete is the creator and main writer of the OSSTMM and Hacker Highschool.
Five Secrets to Building an Amazing Security Culture in Your Organization
If only everyone thought about security the way we think about security. But they don’t. Why not? Don’t they care? It’s more complicated than that. The neuroscience behind security and learning shows most of the things we already do are not going to work or are just wrong. Here’s five things that will though and will make all the difference.
Dan Holden & Elizabeth Martin
@desmondholden & @elizmmartin / www.arbornetworks.com/asert/
Arbor Networks & RedLegg
Dan Holden is the Director of ASERT, Arbor’s Security Engineering and Response Team, where he leads one of the most well respected security research organizations in the industry. His teams oversee the ATLAS global security intelligence database, and are responsible for threat landscape monitoring and Internet security research including the reverse engineering of malicious code. Dan also oversees the development and delivery of security content and countermeasures for Arbor’s industry leading DDoS technologies via the ATLAS Threat Feed (ATF) and the ATLAS Intelligence Feed (AIF) threat detection services.
Prior to Arbor, Dan was director of HP TippingPoint’s DVLabs and a founding member of IBM/ISS X-Force. While at HP TippingPoint, Dan grew the DVLab’s organization into a mature security research and development team delivering security content, intelligence portals, and reputation technology as well as overseeing both the Zero Day Initiative (ZDI) program and Pwn2Own vulnerability contest. Dan also helped build and define X-Force over the course of 12 years in various capacities ranging from development to product management. Dan has been in the security industry spanning two decades specializing in vulnerability analysis, security research, and technology incubation. Dan is a frequent speaker at major industry conferences and has been quoted and featured in many top publications, radio and television.
Elizabeth Martin is the Director of Security Services with RedLegg and is responsible for the development and delivery of the Risk Management practice. Elizabeth’s tenure includes Arthur Andersen, IBM Internet Security Systems, and Trustwave. She has 15 years’ experience in the Information Security, Compliance, and Risk Management industry and her expertise lies with assessing organizations and assisting with the development of a strategic approach to Information Security. Ms. Martin has extensive experience delivering Compliance Gap Assessments and Audits, Risk Assessments, Vulnerability Assessments, Policy Framework Development, and Solution Design and Deployments in the automotive, retail, financial, healthcare, government, and managed security services verticals. Elizabeth is active in the industry and serves as Board Member for the Cloud Security Alliance, Chicago Chapter; Coordinator for BSidesChicago; and is a founder of SecureChicago, Inc., an Illinois not for profit organization dedicated to promoting education and professional development in the security industry.
Pissing Down The Leg Of Much Of Our Careers; Why Are You People Still Buying Firewalls & IPS?
Do you recall the good ole days when you would often issue the command ‘more /etc/services’ to correlate an application to a port number? Next thing you know everyone spends a fortune on firewalls and it now seems that the majority of applications now run over just a few ports. Funny thing is now we are told we all need to buy next generation firewalls because you now need visibility into the applications that your standard firewall can’t see. Is this a solution to a problem that the firewall created in the first place? Are firewalls really providing security, or is it simply network segmentation for a network that isn’t that difficult to get onto in the first place?
The story for other traditional security technologies such as A/V and IDS/IPS can be just as perturbing. For years signatures have been lambasted as not being able to keep up with the maturing and quickly advancing threat landscape. If this is the case then why are these solutions allowed to mature into old grey veterans pushed upon us by compliance requirements and experts espousing ‘defense in depth’?
This talk will not only poke fun at these crippled and elderly network membranes but will highlight real world examples used by attackers to bypass them. The point of the talk will be to provoke thinking about a false sense of security that can come from legacy technologies or ideals, and whether these can actually be a burden rather than a solution.
HP Fortify on Demand
Ray Kelly got his start in internet security 11 years ago with SPI Dynamics. As the lead developer of WebInspect, he helped build the product into an industry leading application scanner. After the SPI’s acquisition by HP, Ray moved on to other startups such as Purewire and Barracuda Networks where he focused on content security and mobile technologies. Currently Ray is back at HP Fortify on Demand group managing the Mobile Penetration team where mobile applications are tested for security vulnerabilities.
Man In The Front – Modifying the Android OS for Mobile Application Testing
Most penetration testers know the headaches of testing mobile applications. Challenges like certificate pinning and wondering what files are being written to the device while the app is in use. Since Android is open source, you create your own custom OS that takes the guess work out of your test. By doing this, you can monitor HTTP/HTTPS traffic, SQLLite queries, file access and more. Because this is part of the OS, you can intercept before the data is encrypted (i.e. MiTF). And this works for all apps. No need to hook, inject or rebuild each app you test.
In this talk, I will give a high level overview of the Android OS, point out key files for modifications, and demonstrate a proof on concept with a custom OS along with a monitor showing the intercepted information.
Jack Mannino, Abdullah Munawar
Jack Mannino is a Co-Founder at nVisium, a DC area firm specializing in application security. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.
Abdullah Munawar is an application security consultant at nVisium who specializes in mobile application testing and ripping apart new things. He previously worked on the security teams at financial and aviation organizations, with over 7 years of experience. Abdullah attempts humor on a daily basis and succeeds most of the time, every time.
How To Find Mobile Internet Love
As mobile dating applications grow in popularity, so does our interest in the security posture behind these apps. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly. We will cover popular features such as location-based services, analytics, sharing of information, and any other features we discovered to be interesting.
This talk will feature some highlights from popular, obscure, and scary mobile dating applications to answer a very simple question: Can you find love on the Internet without having your personal data exposed?
Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
Attacker Ghost Stories: Mostly Free Defenses That Gives Attackers Nightmares
This talk was originally titled “I’m tired of defenders crying”, but thought better of it. This talk is about the tidbits that I’ve seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks.
Going over 4 free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.
Kimberley Parsons & Carmen Sullo
Created for Greatness, LLC
Kimberley Parsons has refined her approach through thirteen years of serving leaders and teams in Fortune 500 and not-for-profit companies. Over 10 years as an IT professional and seven years of coaching and training, she’s had extensive opportunities to elevate others while deepening her learning in leadership and team development, change leadership, strategy execution, and coaching.
Kimberley obtained her Leadership Coach Certification from Georgetown University, is an accredited Associate Certified Coach (ACC) with the International Coach Federation (ICF) and holds a Masters of Science in Information Systems from Virginia Commonwealth University.
Carmen Sullo’s background as an IT Project Manager and Agile Coach for software development in leading financial institutions put her on the path towards team leadership and coaching. Leveraging her natural talents in interpersonal awareness, Carmen excels at building high performing teams that thrive on the most complex and challenging opportunities. Carmen has developed a reputation for developing teams that leaders trust, that people want to be a part of, and with which clients love to work.
Carmen graduated from the University of Richmond with a BA in Information Systems Management and is a graduate of the Newfield Network in Ontological Coach Training.
Leading Security When the Rest of The Business Doesn’t Care About Security
In many organizations, security teams are viewed as a “necessary evil” or a cumbersome speed bump in a project plan. It is almost as though the security teams purpose is in conflict with the organization’s purpose, creating competition for resources and funding rather than collaboration and quality execution. This talk focuses on leading through this challenging organizational environment, transforming from dissatisfied performers with high burnout to high performing teams that attract and retain elite staff.
Joey has over 15 years of experience in the information technology industry specializing in information security. Prior to joining the GuidePoint Security team, he served as World Wide Security Architect for F5 Networks focusing on mobile and application security, and authentication and access security. His previous experience includes managing application and mobile security consulting teams at national security consulting firms, and leading JCPenney’s internal penetration-testing team. Joey is an active member of the information security community, speaking frequently at conferences and security events such as OWASP, TakeDownCon, ISSA, and has written, or appeared in, articles by Hakin9, SC Magazine, SD Times, and Information Week. He is also an accomplished technical scuba diver and PADI Divemaster.
Offensive Mobile Forensics
It’s official; enterprise mobility has been redefined, and Bring Your Own Device is a permanent reality, not a trend or fad. The problem everyone has failed to solve, however is not protection of the device itself. MDM, and now MAM are failed attempts to enable the secure use of personally-owned mobile devices. They’ve failed because they stop short of providing a holistic solution for data protection. Enter Offensive Mobile Forensics, a process in which an analyst employs use of the same techniques and tools potential attackers or criminals use on lost or stolen devices, to determine the actual risk of that loss or theft to the enterprise. What data is accessible?
Nick Popovich’s passion is learning and exploring the offensive side of IT security. He works as a penetration tester, trying to raise the overall security posture of organizations through infrastructure security testing. Nick’s mission is to help individuals and organizations involved with the defensive side of InfoSec understand the mechanics and methods of the attackers they defend against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of two and a husband to one.
I Found a Thing and You Can Too: ISP’s Unauthenticated SOAP Service = Find (almost) All the Things!
This presentation is meant to encourage individuals to put the applications and software that they may use on their own home or small business networks under the research microscope. This is will be a discussion of a recent independent research project that eventually lead to an information disclosure vulnerability by a major U.S. ISP. This is also an example of when a coordinated disclosure goes right.
What began with simple curiosity into the inner workings of an application lead to the ability to list wireless network names and wireless encryption keys (among other things) armed only with a WAN IP address.
David Sharpe and Katherine Trame
GE – GE-CIRT
David Sharpe and Katherine Trame are currently incident responders in GE-CIRT’s Advanced Threats team. The GE-CIRT Advanced Threats team provides world class incident response services for APT-related matters for the entire GE organization. David has a wide range of IT experience spanning 19 years. He has served in a variety of roles in Fortune 10 and Fortune 500 companies, ranging from systems programmer writing device drivers and operating system components, to large scale systems administration, to IT security. David joined GE-CIRT in 2011. Katherine served as an intelligence analyst with the Hampton, VA Police Division for five years during which she gained experience in tactical/operational intelligence and computer forensics. Katherine joined GE-CIRT in 2013.
Real World Intrusion Response – Lessons from the Trenches
Two battle-scarred, sleep-deprived GE-CIRT incident responders share lessons learned from the trenches, from their daily duties repelling real world, high-end network intrusions globally. This talk will include fresh thinking and innovative ideas in: intrusion response, intrusion detection, effective use of intel, and defensive operations. We will cover roughly a dozen (time permitting) cutting edge ideas and techniques that you can take back to your own organizations and put into practice right away.
Jayson E. Street
Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of http://dissectingthehack.com He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.
The hacker in the fun house mirror (A talk on skewed perspectives)
This is a talk on perspectives. Hackers, and hacking, are perceived
differently around the world and, in turn, some view our community and
what we do with different eyes than ours. I believe most
reports/papers about that topic are skewed and never give a quite
accurate global image. It’s all about perspectives, and these are what
I will explore in this talk. Being a foreign hacker attending a con,
or delivering an engagement, in an alien land often led to unexpected
situations that I will also recount. I am not only looking to
enlighten and entertain attendees with this talk, but also to have
them take a step back and look at the big picture, at what they are
part of; a global community that spreads beyond borders and
continents. My hope is that the contents of this talk will circulate
wider than just Con attendees so family, friends and co-workers get a
better understanding of who we are, what we stand for, and what that
thing is that brings us all together globally under one banner.
Ben Tomhave is a Research Director with Gartner for Technical Professionals. He holds a Master of Science in Engineering Management (Information Security Management concentration) from The George Washington University. He is a Certified Information Systems Security Professional (CISSP), co-chair of the American Bar Association Information Security Committee within the Section of Science & Technology, former board member at large for SIRA (www.societyinforisk.org), and a member of ISSA (NoVA chapter). He is a published author and an experienced public speaker, including recent speaking engagements with RSA USA, the ISSA International Conference, Secure360, RVAsec and RMISC.
How to Achieve Success with Cyber Risk Assessment and Analysis
Technical professionals are frequently asked to lead or participate in risk assessments or risk analysis, as well as to provide recommendations for the best approach an enterprise should adopt. Unfortunately, there has been little guidance (outside of expensive consultants) on how exactly to achieve success in this area. Until now. On the basis of recent Gartner research, this session provides guidance for achieving success with cyber risk assessment and analysis.
Schuyler Towne is obsessed with locks. While he got his start picking locks competitively, his interest has since exploded into every aspect of their history, design and manipulation. He’s taught hackers, authors, cops and even toy designers. There is nothing Schuyler loves more than to talk locks with anyone who will listen. His interests in the history of physical security and design of locks provides a passionate background to his lectures and workshops on lockpicking. Currently he is attempting to recover lock patents lost in the 1836 patent office fire.
How to Make a Lock
Locks were one of the earliest complex mechanical devices. They are ubiquitous, yet remain very regional in concept. In this talk we’ll explore the process of inventing a lock. We’ll cover examples from around the world, some that persist to this day, some that failed before coming to market, and some that were , until recently, lost to history.
Steve Werby is an independent security consultant and researcher at Befriend and a security architect at a Fortune 2^8 company. He’s held consultant, architect, and CISO roles in the information security field over the last 15 years.
Bad Advice, Unintended Consequences, and Broken Paradigms – Think & Act Different!
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!