@analoggirl11 / www.riskbasedsecurity.com
Risk Based Security

Inga has been involved with specialty insurance coverages since 1993 and brings a wealth of experience with all facets of risk transfer. Her focus includes the strategic management of data privacy and security exposures, with an emphasis on leveraging data-driven risk assessment to build sustainable insurance programs and product profitability. As the leader of the insurance practice group at Risk Based Security, Inga is responsible for a variety of client advisory services including identification of data security and privacy exposures, policyholder risk management support and the development and implementation of cost effective breach response solutions. As a strong advocate for sharing knowledge, Inga has presented at a variety of industry forums and has led many continuing educations sessions throughout the U.S. She currently holds a CIPP/US designation.

Cyber Insurance – Worth the Effort or Total Ripoff?

Have you ever found yourself paying premiums for years, just to be shortchanged by the insurance company when you submit a claim? It’s a common story and one that can leave the impression that an insurance policy isn’t worth much more than the paper it’s written on. But when it comes to transferring risk for a data breach event, cyber insurance can be a powerful and budget-saving tool. This session includes a discussion of how cyber insurance policies can be a benefit to both the security practitioners responsible for keeping data safe and the leaders tasked with minimizing the impact of a data breach. The session will also include an insider’s view of the real value behind this insurance and share strategies for leveraging these policies to your advantage.

@SethHanford / blogs.cisco.com/tag/trac/

Cisco

Seth Hanford manages Cisco’s TRAC team, whose members use Cisco’s expansive security intelligence resources to detect and respond to threats and generate original research on a wide array of security topics. Prior to this role, he worked for more than a decade in vulnerability and threat intelligence. Between his roles as a Security Analyst for Cisco’s vulnerability database service (IntelliShield) and as an Incident Manager on it’s Product Security Incident Response Team (PSIRT), he has reviewed and scored thousands of security vulnerabilities in a wide range of software products. In 2005 he began contributing to the Common Vulnerability Scoring System v2 working group, and in 2011 accepted a nomination to chair the special interest group tasked with developing CVSS version 3.

CVSS v3 – This One Goes to 11

Software vulnerabilities — love em or hate em, they’re crucial to your job. Likewise, you may have a love/hate relationship with vulnerability classification and severity scoring (like CVSS v2 or any number of proprietary methods). In this talk we will look at statistics and characteristics for thousands of vulnerabilities to see if we can determine what CVSS v2 did wrong, what it did right, and what we (the CVSS v3 Special Interest Group) intend to do to fix it. We will also come away with a better understanding for why systems like CVSS are important to security practitioners, even those who’d rather be popping shells than pushing off patches whose scores are “too low to care about”.

www.prevalent.net

Prevalent Networks

Prevalent Networks Managing Director Jonathan Dambrot, CISSP, works with the leading organizations in the world to help better manage third party and IT related risks. Prevalent develops Prevalent Vendor Risk Manager and provides compliance automation solutions from the cloud with its Prevalent Compliance as a Service. Jonathan received his MBA from The Pennsylvania State University and is currently Vice-Chair of the Shared Assessments Steering Committee, Chair of the SIG Committee, and sits on the Penn State Outreach Advisory Board.

Third Party Risk Management and Cybersecurity

Several recent research reports have identified that close to 80% of data breaches are caused by Third-Party Error. Additionally, The Ponemon Institute recently identified that third party error represented the largest factor in the cost of a data breach. Lastly, recent regulatory and mandate guidance has required most regulated industries to perform Vendor Risk Management as part of their security strategy. If you do not have third party risk management as part of your security strategy you potentially have a major gap in your program. This talk will discuss several use cases as well as strategies to consider in helping manage your third and fourth party risk.

@dystonica / dystoni.ca
Genesys Telecommunications

Sarah Clarke is a Senior Security Engineer at Genesys Telecommunications. She has 12 years of experience in IT, seven of which have specialized in Security. She has worked with nonprofit, government contracting, ISP, financial sector, and telecommunications organizations; currently, she is enjoying serving as application security testing and vulnerability management SME for Genesys Cloud, a global SaaS IVR and virtual call center PCI (and etc) compliant service provider.
Sarah’s passion for application security began with the Toyota break failure bug and continued with the work by Barnaby Jack and Jay Radcliffe on poor software design causing fatal error conditions in pacemakers and insulin pumps. She chooses to focus on helping teams make better software, to protect the innocent, save lives and identities.
Sarah is a member of Infraguard, holds four industry certifications, recently presented at Shmoocon Firetalks 2014, and volunteers to support the security community whenever possible.

Lessons Learned Implementing a SDLC
Developers and Quality Engineers are wonderful people who understand how to create, test, and validate features. They frequently aren’t, however, educated in school on architecting applications to prevent security failures, coding to not introduce security bugs, and testing to validate secure functionality.
The language of development – features, releases, agile – is not the same as security – XSS, CSRF, managing session state.
We have to communicate better with our developers and QEs, to inspire them to care, in their language; we have to work with senior management to identify how security fits into their needs to get buy-in and support.
This is a discussion on how that communication works best; overcoming cultural sticking points, and iterating through creating a process that creates better code without slowing down business.

@evanbooth / terminalcornucopia.com

Growing up, it was a safe bet that if an object around the house was held together with screws or contained any number of wires, Evan “treefort” Booth took it apart at some point to see what made it tick. In 4th grade, with the help of strategically placed pens, erasers, and a Pop-Tarts wrapper, Evan’s pencil box could quickly be converted into a model rocket launchpad. His Liquid Drano purchases to toilets cleaned ratio is absolutely abysmal. This never-ending supply of curiosity eventually translated into a passion for understanding computers and programming.
Having earned a degree in Digital Media — a nerdy union of design fundamentals and computer programming — from East Tennessee State University in Johnson City, Evan founded his company, Recursive Squirrel, where he has served a wide variety of clients in need of application development and consulting for nearly a decade. When he isn’t organizing 1′s and 0′s, Evan is likely off picking locks with the FALE Association of Locksport Enthusiasts, a lock picking group he co-founded in 2010.
In his most recent project, Terminal Cornucopia, Evan set out to demonstrate how difficult it would be for an attacker to construct lethal weapons in a typical airport terminal after the security screening. After successfully building an arsenal consisting of everything from simple melee weapons to reloadable firearms to a remotely-triggered incendiary suitcase, Terminal Cornucopia garnered international media attention and attracted viewers from nearly every country on the planet.
Make no mistake: the best part about buying a bulky item is, in fact, the huge cardboard box.

Evan will be presenting Terminal Cornucopia: Demystifying the Mullet

When solving difficult problems that require unorthodox thinking, it’s crucial that you remember APATHY: Acronyms Probably Aren’t That Helpful, Yo. Instead, we’ll dig into the practical side of creative problem solving by reflecting on Terminal Cornucopia — my year of building improvised weapons out of materials and items available in what is touted as one of the most “sanitized” environments designed for everyday citizens: the airport.

This talk will serve as a primer on building lethal improvised melee, projectile, explosive, and incendiary weapons. More importantly, I will share lessons learned about creativity, passion, and human potential during my year with Angus MacGyver.

Dust off your leather jacket and roll up those tube socks; we’re going to hit the ground running!

@DavidJBianco / detect-respond.blogspot.com
Mandiant (a FireEye Company)

Before coming to work as a DFIR subject matter expert at Mandiant, David spent five years helping to build an intel-driven detection & response program for a Fortune 5 company. He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents, mainly involving targeted attacks. He stays active in the community, speaking and writing on the subjects of Incident Detection & Response and Threat Intelligence.

David will be presenting The Pyramid of Pain: Intel-Driven Detection & Response to Increase Your Adversary’s Cost of Operations

There’s more to good threat intelligence than lists of domains or IPs, and it’s useful for more than just finding bad actors in your environment. What if I told you that you could use threat intelligence not only to get better at detecting and responding to incidents, but also to make your attackers’ lives significantly more difficult, to drive up the costs of their operations and to potentially make it so expensive to operate against you that they give up? Sound too good to be true?
In this talk, I’ll cover a practical, proven framework for applying threat intel to incident detection and response. The framework’s centerpiece is the Pyramid of Pain. The result of nearly 5 years experience directing the global detection program for a Fortune 5 company, the Pyramid is a blueprint for turning your incident response capability into an offensive weapon to cause pain for your attackers.

Here are the speakers for the 2014 RVAs3c conference!

Head to the Speaker’s Page to see information about each speaker and the topics they will be presenting!