Kevin Massey

• Video: RVAsec 2023: Kevin Massey – Heap Exploitation from First Principles
• Slides: https://rvasec.com/slides/2023/Massey_Kevin-Heap_Exploitation_From_First_Principles.pdf
• Twitter: @Scratchadams118

In this talk I will discuss the process of building a userland heap allocator, identify the inherent vulnerabilities that exist in heap allocation, and demonstrate methods to exploit these vulnerabilities.

About Kevin – I am a security analyst who does independent security research. I focus on vulnerabilities, binary exploitation, and network protocols.

Jason Wonn

• Video: RVAsec 2023: Jason Wonn – Corporate Dungeon Master: How to Lead Cyber Games at Work
• Slides: https://rvasec.com/slides/2023/Wonn_Jason-Corporate_Dungeon_Master_Lead_Cyber_Games_at_Work.pdf
• Twitter: @wonnmeister

Military organizations have long known the value of “training as you fight”, but commercial entities only realized its importance in the last few years. Consequently, the Cyber Action Officer role recently became a priority for the average company. Are you a security-geek like Jason Wonn who loves role-playing games (RPGs) and want the opportunity to lead a party through incident response to the most prevalent cyber threats? In this original talk, discover how to lead games (table-top exercises) at work as a “Corporate Dungeon Master” (Cyber Action Officer), narrating the story (facilitation), controlling the monsters (cyber threats), and creating an adventure that will have your players leveling-up (process improvement).

About Jason – Jason Wonn is a results-focused information security leader with 30+ years of combined national intelligence, information assurance, and cyber threat intelligence expertise throughout the civilian and military sectors. Jason is a “Richmonder” but works for Navy Federal Credit Union in Vienna, VA. He currently serves as a Cyber Action Officer, delivering table-top exercises and serving as a trusted incident response advisor to leadership during cyber crises. Prior to this position, Jason led the development of a cyber threat intelligence capability at both Navy Federal and The Walt Disney Company. He also served in various threat intelligence roles as a government contractor with MITRE, Lockheed Martin, and CGI Federal in support of the FBI and 1st IO Command, US Army. He holds a B.S. in Computer Science from Tarleton State University in Texas, and the CISSP and PMP industry certifications.

Mark Arnold

• Video: RVAsec 2023: Mark Arnold – TOP 5 CISO FINDINGS OF 2022
• Slides: https://rvasec.com/slides/2023/Arnold_Mark-Top_5_VCISO_Findings.pptx
• Twitter: @otusebhat

Throughout 2022, the Lares® Advisory Services team has tracked emerging trends while assisting organizations of various sizes and maturity with Virtual CISO, IT/OT Risk Assessments, Offensive Assessments, and Security Program Management engagements. TOP 5 CISO Findings (most frequently observed not necessarily the most severe) resulted from our tracking. This presentation unveils the findings, discussing them in the context of current and emerging threats. I also incorporate an MIT Sloan cybersecurity use case and the Verizon DBIR to expound on the findings.

We close out the talk by listing remedies for the Top 5 Findings. A sampling of remedies includes the selection of a framework, threat modeling, and tactical assessments to help organizations discover and avoid the risks associated with the Top 5 Findings.

About Mark – Mark Arnold has a 20+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns), and their collective impact on nations and society. He holds industry certifications and degrees from Stanford, Princeton Seminary, and Harvard University. He is a former competitive gymnast and an ordained minister but, most importantly, a husband and dad.

Ian MacRae

• Video: RVAsec 2023: Ian MacRae – The state of NIST/CMMC compliance today
• Slides: https://rvasec.com/slides/2023/MacRae_Ian-CMMC_2023.pptm

Get a 2023 update on NIST security framework and CMMC compliance. Business with the government is Virginia’s #1 industry. The government is sick of spending billions on projects only to find the data leaked onto the Internet. Due to this many government contracts require security compliance to the National Institute of Standards and Technology (NIST) 800-171 standard. For years businesspeople didn’t take the 110 security controls seriously. Now we are seeing deals being lost to the Supplier Performance Risk System score. Ian has helped dozens of organizations implement compliance programs since 2017 in his role of vCSO.

About Ian – Ever since founding E-N Computers in 1997, Ian has been dedicated to helping people get the most out of their technology. Since then, he’s grown the company from a small computer repair shop into a top-tier regional managed services provider (MSP) that helps SMB and enterprise clients transform their IT through strategic outsourcing.
In his more than 25+ years in the IT world, he’s managed hundreds of IT professionals and helped 60+ clients overcome business challenges through wise use of technology. Ian’s problem-solving approach combines a passion for business success with extensive technical knowledge, as shown in his experience.

Adrian Amos

• Video: RVAsec 2023: Adrian Amos – I <3 my password
• Slides: https://rvasec.com/slides/2023/Amos_Adrian-I-Heart-My-Password_rvasec_12.pptx
• Twitter: @ahamos

Protecting identity is foundational to zero trust, and everybody wants passwordless, but is it always appropriate? If it is, how do we overcome barriers to success, and if it isn’t, how do we protect & isolate workloads to ensure the right people have the right access to the right apps & data? Any security approach must consider the human beings it’s designed to protect, while balancing the risks of authentication strengths.

About Adrian – I’ve supported the Richmond IT community since 1997, in every capacity from retail break/fix to military & corporate Wintel infrastructure. I transitioned to cloud solutions in 2010 and was the first technical hire at Synergy way back in 2012. I have a strong focus on identity & access management and collect terribly inconvenient hobbies.

Rick Lull

• Video: RVAsec 2023: Rick Lull – Network 201: A Tour Through Network Security
• Slides: https://rvasec.com/slides/2023/Lull_Rick-Network_Security_201.pdf

Taking the Network 101 presentation in 2019 a bit further, this talk will dive into network security aka technical security controls that should be considered with respect to risk management in common environment, including private/public cloud and the recent industry buzz words around ZTNA – Zero Trust Network Access.
If you have ever wondered how you might use a VRF to segment authenticated user traffic, this is a talk for you. If you are trying to cut through buzzwords that a sales guy is throwing your way about how to protect your remote workers, this is a talk for you.

About Rick – Lifelong geek turned security consultant after stops as a desktop tech, server bubba, and network jockey. Rick is a healthcare IT survivor, and is now playing Horatio on the bridge for hire with a local technology consulting company, advising clients on security strategy and operations. He currently holds CISSP, CCNP-Security, NSE7 and NSE4 certifications and previously held CEH and CNA certifications. He has promised to not make fun of any manufacturers during his talk.