bISHop has been in the security realm for over 10 years, focused on penetration testing for 6 years. If bISHop is not at a computer, he can often be found in the mountains with his dog.

An introduction to Cross Site Request Forgery, how to exploit it, and prevent it.

The talk will begin with an introduction to Cross Site Request Forgery, defining what it is, how to exploit, how to prevent it. Live demonstrations(if the demo gods cooperate) will be used during the presentation. The talk concludes with an example of using Flash to bypass the mistaken protections offered by Cross Origin Resource Sharing.

Come and see Aaron at RVAsec! Register now.

@jasonhillva

Jason Hill serves as the Chief of the National Cybersecurity Assessments and Technical Services (NCATS) Red Team Operations conducting Red Team Assessments for Federal Government customers and Critical Product Evaluations (CPE) for industry partners. Through those assessments, Jason helps close capability gaps, limit exposure and reduce exploitation on the network. Jason works with more than 150 state, local, tribal, territorial and other critical infrastructure entities. Jason has also spent over 20 years in the Virginia National Guard conducting cyber operations during active duty mobilizations throughout his career.

Anatomy of a Government Red Team Assessment

As Chief of the Nation’s Red Team follow Jason Hill on a real world red team assessment of a partner Government Agency. See how CISA’s white hat hacker’s are training our nation’s cyber defenders.

Come see Jason at RVAsec! Register now.

www.jon.glass

@GlassSec

Jon is a Senior Cybersecurity Associate serving the Federal Reserve’s National Incident Response Team as Lead Malware Analyst. He also teaches Digital Forensics, Malware Analysis, and Cybersecurity Python courses for University of Richmond: School of Professional and Continuing Studies. A nine year veteran of the United States Air Force.

Cybersecurity Zero to Hero with CyberChef

The Cyber Swiss Army Knife “CyberChef” is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. CyberChef has significantly lowered the entry threshold for field of Malware Analysis. This talk demonstrates how CyberChef provides the means for those without a strong programming or reverse engineering backgrounds to accomplish complicated, technical Cybersecurity tasks. This talk will also highlight how CyberChef can streamline the workflows of more seasoned analysts with advanced combinations of tasks.

Come see Jon at RVAsec! Register Now.

www.us-cert.gov/resources/ncats

Bobby Thompson is a member of DHS’ National Cybersecurity Assessment and Technical Services (NCATS) team leading the effort to secure our nation’s critical infrastructure and government resources. NCATS is responsible for conducting comprehensive penetration tests, red team assessments, persistent vulnerability scanning, and architecture design reviews for federal, local, state, territorial, tribunal, private sector and critical infrastructure partners. Mr. Thompson has worked in the Information Technology and Security industry for over 20 years in both private and government sectors throughout his career. Mr. Thompson has been active in the cybersecurity community speaking and has served as a presenter at various conferences and engagements throughout the United States.

Breaking and Entering: Emulating the Digital Adversary in 2019

As one of the United States government’s premier assessment and penetration testing organizations, the Department of Homeland Security (DHS) National Cybersecurity Assessments and Technical Services (NCATS) team is responsible for proactively identifying risk against federal, state, local, territorial, and critical infrastructure networks. This session will provide detailed insight on how DHS emulates the digital adversary in order to identify and mitigate risk against our nation’s infrastructure through core capabilities in vulnerability scanning, penetration and red team testing, design review, and phishing assessments. The quantifiable and objective data gained by the NCATS team will allow attendees to gain a comprehensive understanding of the issues that affect government networks and how DHS is helping to overcome them.

Come see Bobby at RVAsec! Register now.

www.pharossecurity.com

@desmondholden

Dan Holden is CEO of Pharos Security measures, aligns, and guides optimization of the ROI and level of protection of a security program and translates the security program into business level terminology. Mr. Holden has 25 years in information security having served as CTO of the Retail and Hospitality ISAC, and Chief Technology Strategist at Arbor Networks. His experience includes building multiple teams from scratch as well as having brought multiple products to market while at IBM, TippingPoint, and Arbor Networks. Throughout his career he has a broad range of experience across multiple business functions including engineering, product management, sales, and marketing.

CISO of 2025

So much of the news related to CISOs today is negative. The reasons are clear because the challenges are enormous. Many CISO’s believe they are not given a fair chance – essentially obstructed from doing their job. Often there can be poor trust with the board, primarily due to not having a pragmatic, cost effective plan, to solve board level problems. CISOs have failed largely in this regard as their security plans have been tactical and not delivering on strategic goals. The common argument is executives just don’t ‘get it’, but most do, and they realize that security doesn’t provide great value with historic or conventional approaches. They might say the business only wants check-box security, but executives understand that to a great degree that is the only material benefit offered by security – so may as well get it at best cost. This talk will explore where and why things have happened the way they have, and how to move towards a definition for the CISO of 2025.

Come see Dan at RVAsec! Register now.

www.samlanning.com

@samlanning

Sam started working at Semmle in October 2014, after deciding to drop out of his Masters at Oxford University after having completed his undergraduate Computer Science degree there. Sam was the first full-time developer for Semmle’s LGTM platform, and worked on it for over 3 years before becoming a developer advocate. Sam’s has been an active member of the security and privacy community for a while, with a particular interest in vulnerability research, cryptography and peer-to-peer networks, having previously contributed to Signal’s Android and Desktop clients, among other open source projects. Most recently, in his free time he’s been working on an open source project that ties together music and lighting.

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities

In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day.
With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, and also share some stories from the trenches.

Come and see Sam at RVAsec! Register Now.